The developers of the Matrix decentralized messaging platform have announced an emergency shutdown of the Matrix.org and Riot.im servers (Matrix's main client) due to a hack in the project's infrastructure. The first outage took place last night, after which the servers were restored and the applications rebuilt from the reference source code. But a few minutes ago, the servers were compromised a second time.
The attackers posted on the main page of the project detailed information about the server configuration and data about the presence of a database with hashes of almost five and a half million Matrix users. As evidence, a hash of the password of the leader of the Matrix project has been posted in the public domain. The modified site code is placed in the attackers' repository on GitHub (not in the official matrix repository). Details about the second hack are not yet available.
After the first hack, the Matrix team published a report stating that the hack was done through a vulnerability in an unupdated Jenkins continuous integration system. After gaining access to the Jenkins server, the attackers intercepted the SSH keys and were able to access other infrastructure servers. It was stated that the source code and packages were not affected by the attack. The attack also did not affect the Modular.im servers. But the attackers gained access to the main DBMS, which contains, among other things, unencrypted messages, access tokens, and password hashes.
All users were ordered to change their passwords. But in the process of changing passwords in the main Riot client, users were faced with the disappearance of files with backup copies of keys to restore encrypted correspondence and the inability to access the history of past messages.
Recall that the platform for organizing decentralized communications Matrix is ββpresented as a project that uses open standards and pays great attention to ensuring the security and privacy of users. Matrix provides end-to-end encryption based on the proven Signal algorithm, supports search and unlimited viewing of correspondence history, can be used to transfer files, send notifications, assess the presence of the developer online, organize teleconferencing, make voice and video calls. It also supports such advanced features as typing notification, read confirmation, push notifications and server-side search, synchronization of client history and status, various identifier options (email, phone number, Facebook account, etc.).
Source: opennet.ru