Hexbear was a victim of a targeted XSS attack similar to the attack many other Lemmy instances have seen.
The account that first leveraged the attack was registered on 2023-07-10 at 03:58 UTC, the fix for the vulnerability was applied by around 04:35 UTC. This leaves a ~40 minute window in which anyone browsing the site could have had their account hijacked.
The attacker was able to act (post, comment, DM) as the account they hijacked. They will also have been able to view/use the compromised account's settings page. This means they will have been able to see users' email addresses. Some accounts that were compromised were temporarily banned, these bans have now been lifted.
If you were using the site during the above time window, please double check your account settings to see if anything was changed.
Passwords were not stolen, JWTs were. We have just invalidated all old JWTs so the attacker no longer has access to the hijacked accounts (this is why all users have been logged out).
See, now that's a winning statement. I would have led with that. JMO
I'm not sure there's any way of knowing that for sure actually... since it was a clientside exploit. it would have been anyone browsing the megathread (or anywhere else the attacker posted, I think it was just the mega?) in that 30 min window would have had their token sent to the attacker's server (exposing their IP if they were not using a VPN). Then if the attacker used the token they could have logged in and viewed profile settings (of which really the only sensitive one is email I would think) or DMs. I can't think of a simple way to prove whether or not the attacker did so, but given their MO and relative lack of sophistication I'd guess they weren't interested in user info, just defacing the site by gaining admin accounts, which they failed to do. I assume the 3 accounts were the ones that posted the gore or targeted admins with the stealer via DM.
Makes sense to me. thanks for the info.