Matrix.org Security Incident

The attacker seems to have responded:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;matrix-org&#x2F;matrix.org&#x2F;issues&#x2F;357" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;matrix-org&#x2F;matrix.org&#x2F;issues&#x2F;357</a> edit: just saw the rest: <a href="https:&#x2F;&#x2F;github.com&#x2F;matrix-org&#x2F;matrix.org&#x2F;issues?utf8=%E2%9C%93&amp;q=is%3Aissue+SECURITY" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;matrix-org&#x2F;matrix.org&#x2F;issues?utf8=%E2%9C%...</a><p>&quot;[SECURITY] SSH Agent Forwarding<p>I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.<p>Complete compromise could have been avoided if developers were prohibited from using ForwardAgent yes or not using -A in their SSH commands. The flaws with agent forwarding are well documented.&quot;

Did the blog get hacked (again?) in between this being posted and now? It has what looks like password hashes and `uname -a` from every(?) server in their infrastructure.<p>This is about as bad as IR can get: you realize you got hacked, you re-build your entire infrastructure and publicly say it&#x27;s fixed, and then you get popped again...

The most favorable reading of the current defacement page is that the attackers still controls the DNS, but no other parts of the infrastructure.<p>Otherwise, the page probably wouldn&#x27;t run off github.

Assuming the GitHub issues are from the actual attacker -- and I see no reason to doubt they are -- this is very troubling:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;matrix-org&#x2F;matrix.org&#x2F;issues&#x2F;363" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;matrix-org&#x2F;matrix.org&#x2F;issues&#x2F;363</a><p><i>Compromise began well over a month ago</i><p>Yikes. That&#x27;s a long time for a compromise to go unnoticed.

&gt; As we had to log out all users from matrix.org, if you do not have backups of your encryption keys you will not be able to read your encrypted conversation history<p>That seems like a fairly bad usability&#x2F;security design?

content before it gets fixed:<p><pre><code> Time for actual transparency. [list of servers, uname -a for each] root@[name]:&#x2F;var&#x2F;lib&#x2F;postgresql# df -h [list of partitions] $ cat users.txt | grep [name] | head -n1 @[name]:matrix.org|[hash] $ wc -l users.txt [~6M users] See you soon. </code></pre> (affects whole site, even <a href="https:&#x2F;&#x2F;matrix.org" rel="nofollow">https:&#x2F;&#x2F;matrix.org</a>, site is on jekyll BTW)

Why was Jenkins running on a production server?