26 votes

Matrix.org data breach

16 comments

  1. [13]
    Soptik
    (edited )
    Link
    Here are all issues made by the hacker on matrix github. They are no longer accessible via normal means, but luckily internet archive has a copy. SSH Agent Forwarding 2FA is gud Signing keys in...
    • Exemplary
    17 votes
    1. [11]
      Rocket_Man
      Link Parent
      It is odd for an attacker to give feedback right?

      It is odd for an attacker to give feedback right?

      7 votes
      1. [10]
        crdpa
        Link Parent
        It was really cool.

        It was really cool.

        5 votes
        1. [9]
          PopeRigby
          Link Parent
          I wouldn't call it cool. He's an asshole for compromising all the data of innocent users. He was trying to make a point but it hurt people who had nothing to do with it. He should have privately...

          I wouldn't call it cool. He's an asshole for compromising all the data of innocent users. He was trying to make a point but it hurt people who had nothing to do with it. He should have privately contacted them and told them about it instead.

          9 votes
          1. [4]
            crdpa
            Link Parent
            Oh yes. I didn't mean that he was a cool person. Just that it was cool to see that. Don't know if i'm making any sense. It was just a cool part of a shitty thing.

            Oh yes. I didn't mean that he was a cool person. Just that it was cool to see that.

            Don't know if i'm making any sense. It was just a cool part of a shitty thing.

            6 votes
            1. [3]
              PopeRigby
              (edited )
              Link Parent
              What was cool to see about it?

              Just that it was cool to see that.

              What was cool to see about it?

              1. [2]
                Deimos
                Link Parent
                They explained, in detail, what vulnerabilities they took advantage of, and multiple ways that it could have been detected and prevented, and gave info about how to stop similar breaches from...

                They explained, in detail, what vulnerabilities they took advantage of, and multiple ways that it could have been detected and prevented, and gave info about how to stop similar breaches from happening in the future.

                That's a far better place to be starting from as the person trying to figure out what happened and what they need to fix, compared to "someone got in, but we have no idea how".

                12 votes
                1. PopeRigby
                  Link Parent
                  That is pretty interesting, I guess.

                  That is pretty interesting, I guess.

          2. [4]
            Octofox
            Link Parent
            No one is hurt unless the data gets abused. Thankfully passwords were properly stored and messages were end to end encrypted so all the attacker would have had access to is a user list and who...

            No one is hurt unless the data gets abused. Thankfully passwords were properly stored and messages were end to end encrypted so all the attacker would have had access to is a user list and who they were talking to which is not great but its not the end of the world.

            3 votes
            1. [3]
              PopeRigby
              Link Parent
              That doesn't excuse the fact that he took it in the first place.

              That doesn't excuse the fact that he took it in the first place.

              1 vote
              1. [2]
                Octofox
                Link Parent
                There is no proof they actually took any data. They gained access to the server and redirected the website to a page showing they had access to the user list. They may not actually care for the...

                There is no proof they actually took any data. They gained access to the server and redirected the website to a page showing they had access to the user list. They may not actually care for the data and just left it all on the server.

                2 votes
                1. PopeRigby
                  Link Parent
                  That's true, but they potentially did. Even if they took nothing, it's more of the principal that they messed with them instead of telling them privately.

                  There is no proof they actually took any data.

                  That's true, but they potentially did. Even if they took nothing, it's more of the principal that they messed with them instead of telling them privately.

                  2 votes
    2. Shahriar
      Link Parent
      To have this person give feedback like that is truly fascinating to see. I wonder what their true intentions were?

      To have this person give feedback like that is truly fascinating to see. I wonder what their true intentions were?

      3 votes
  2. clerical_terrors
    Link
    It is not mentioned in the TL;DR on the top but according to an update they have now confirmed matrix.org password hashes have in fact been obtained from the production database, everyone who is...

    It is not mentioned in the TL;DR on the top but according to an update they have now confirmed matrix.org password hashes have in fact been obtained from the production database, everyone who is registered on matrix.org or has bridged to IRC with it is advised to reset their passwords.

    GPG keys for signing packages were also compromised, no update of Synapse had been pushed and only one for the Riot client but Matrix believed the latter update to have been secure.

    13 votes
  3. Arshan
    Link
    I am glad Matrix seems to be open and not try to pretend that it isn't bad. Security is hard, and when things get broken, it is refreshing for organization to admit their failings.

    I am glad Matrix seems to be open and not try to pretend that it isn't bad. Security is hard, and when things get broken, it is refreshing for organization to admit their failings.

    8 votes
  4. unknown user
    Link
    "security incident". Whoopsie-daisy! Bloody hell. "How to underrepresent the bad thing happened 101"

    "security incident". Whoopsie-daisy!

    Bloody hell. "How to underrepresent the bad thing happened 101"

    2 votes