When logging into lemmy.world the banner now says "Israel - ni**a style" (full word unredacted) and it starts linking to lemon party and a bunch of other NSFW sites.
EDIT 2: MichelleG account admin was restored and she posted and update but shortly after the changes happened again. Her account is likely still compromised with someone else accessing things via it.
EDIT 3: lemmy.world back online. MichelleG has again been removed as admin. Most things appear to have been cleaned up. Blocked instances still need to be fixed however.
Worse. Admin account. The MichelleG account is an admin and it appears that it was compromised and is what is causing all the problems. It looks like they have removed it from admin so things wont get worse but they will likely take a bit to find and repair all the stupid little changes that were made.
Based on the Github / Rudd's new post, it looks like there was an "Evil Post" that contained a Markdown-to-Javascript escape and actually allowed the hacker to run Javascript in our web-browsers. Something to do with custom emojis?
So the problem was multi-fold.
The hacker created the "Evil Post", which constantly was stealing people's cookies. Anyone who viewed the evil post in a web browser (Chrome/Firefox/Edge) allowed the hacker to have access to their account (and anything you can do in the web browsers).
The hacker waited until an admin viewed the post. Then took control of the administrator's account, and likely a few other people's accounts as well. DMs containing the evil-Javascript post were sent to various moderators.
Hacker used the account access to just troll us.
Fixing #3 doesn't fix #2 or #1. So eventually, when #3 was fixed, the hacker just grabbed the admin-account and made everything back to the way it was.
The problem wouldn't be fixed permanently until #3, #2, and #1 were all fixed. Which they seem to be fixed now. But this "evil post" is going around the Federation. Other Lemmy-instances may have the post cached, and the users on those lemmies will likely have their JWT cookie also stolen (allowing the hacker to take over people's accounts those instances in a similar manner)
Personally I don't use 2fa even though I want to. I use bitwarden for everything and I have no way to set up 2fa inside bitwarden. I can set it up through authy but prefer not to.
Yea for your average user I can get that, but this was an admin account. Sounds like 2FA was already compromised so will be interesting to understand how that happened in the first place.