Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attacker Offers Advice to Matrix.org After Hacking Its Systems

Matrix.org had its systems hacked and its website defaced by someone who decided to disclose the security issues found during the attack.

Matrix.org had its systems hacked and its website defaced by someone who decided to disclose the security issues found during the attack.

Matrix.org develops an open source standard for secure and decentralized real-time communications. The standard can be used for instant messaging, IoT communications, and VoIP or WebRTC signaling.

The organization behind Matrix.org informed users on Thursday that someone had gained unauthorized access to its production databases, including unencrypted message data, access tokens and password hashes.

Matrix.org hackedMatrix.org said the hacker had exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and access its production infrastructure. The organization said homeservers other than matrix.org, source code and packages, identity servers, and Modular.im servers were not impacted.

However, it urged users to immediately change their Matrix and NickServ passwords. All users have been logged out from matrix.org and those who don’t have backups of their encryption keys may not be able to read their previous conversations.

“Forensics are ongoing; so far we’ve found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised,” Matrix.org said.

Based on Matrix.org’s investigation, the attack started on March 13 and it was detected on April 10 after someone notified it of the Jenkins vulnerability. The company started cleaning up its systems, but neglected to replace a Cloudflare API key that the attacker had obtained earlier. This API key allowed the hacker on Friday to change the DNS records for matrix.org and redirect users to a GitHub page showing some of the data he had accessed.

“The API key was known compromised in the original attack, and during the rebuild the key was theoretically replaced. However, unfortunately only personal keys were rotated, enabling the defacement. We are currently doublechecking that all compromised secrets have been rotated,” Matrix.org representatives explained.

The attacker does not seem to have had malicious intentions as they created a GitHub project where they shared some of the security issues noticed during the attack and suggested some improvements. The information posted by the hacker on GitHub was removed just as this article was being written.

Related: Millions of Toyota Customers in Japan Hit by Data Breach

Related: Typeform Data Breach Hits Many Organizations

Related: OSIsoft Warns Employees, Contractors of Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.