Change your Matrix password if you have your account at matrix.org.
Here’s what you need to know.
TL;DR: An attacker gained access to the servers hosting Matrix.org. The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. As a precaution, if you’re a matrix.org user you should change your password now.
The matrix.org homeserver has been rebuilt and is running securely; bridges and other ancillary services (e.g. this blog) will follow as soon as possible. Modular.im homeservers have not been affected by this outage.
The security breach is not a Matrix issue.
The hacker exploited a vulnerability in our production infrastructure (specifically a slightly outdated version of Jenkins). Homeservers other than matrix.org are unaffected.
How does this affect me?
We have invalidated all of the active access tokens for users on Matrix.org – all users have been logged out.
Users with Matrix.org accounts should:
- Change your password now – no plaintext Matrix passwords were leaked, but weak passwords could still be cracked from the hashed passwords
- Change your NickServ password (if you’re using IRC bridging) – there’s no evidence bridge credentials were compromised, but if you have given the IRC bridges credentials to your NickServ account we would recommend changing this password
And as a reminder, it’s good practice to:
- Review your device list regularly – make sure you recognise all of the devices connected to your account
- Always make sure you enable E2E encryption for private conversations
What user data has been accessed?
Forensics are ongoing; so far we’ve found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised.
What has not been affected?
Full info – matrix.org