Matrix—the organization behind an open source project that offers a protocol for secure and decentralized real-time communication—has suffered a massive cyber attack after unknown attackers gained access to the servers hosting its official website and data.Hackers defaced Matrix’s website, and also stole unencrypted private messages, password hashes, access tokens, as well as GPG keys the project maintainers used for signing packages.The cyber attack eventually forced the organization to shut down its entire production infrastructure for several hours and log all users out of Matrix.org.So, if you have an account with Matrix.org service and do not have backups of your encryption keys or were not using server-side encryption key backup, unfortunately, you will not be able to read your entire encrypted conversation history.
Matrix is an open source end-to-end encrypted messaging protocol that allows anyone to self-host a messaging service on their own servers, powering many instant messengers, VoIP, WebRTC, bots and IoT communication.Vulnerable Jenkins Allowed Attackers to Access Server
According to a press release published today by Matrix Project, unknown attackers exploited a sandbox bypass vulnerability in its production infrastructure on 4th April that was running on an outdated, vulnerable version of Jenkins automation server.The Jenkins flaw allowed attackers to steal internal SSH keys, which they used to access Matrix’s production infrastructure, eventually granting them access to unencrypted content, including personal messages, password hashes, and access tokens.
Screenshot Credit: David on Twitter
After being informed of the vulnerability by JaikeySarra on 9th April, Matrix.org identified the full scope of the attack and removed the vulnerable Jenkins server as well as revoked the attacker’s access from its servers on 10th April.The next day, Matrix.org also took its home server down and started rebuilding its production infrastructure from scratch, which …