Lemmy security issue - Custom emoji temporarily removed and all user logins have been reset.

As you may have seen, lemmy.world was recently compromised due to an attacker gaining access to an Administrator account.

This exploit is related to the custom emoji feature, so as a precaution the few custom emoji we had so far have been removed.

As the attack involves hijacking an already logged-in account session, all user sessions have been reset - just in case any possumpat.io account was compromised while we had custom emoji enabled. I apologize for the inconvenience.

I'll update this post once we know more, and as always if you have any questions let me know.

Edit: For those interested in the technical details, this github thread details the vulnerability and ongoing efforts to mitigate it.

Edit: lemmy.world's post on the hack.

Edit: Exploit has been patched, will re-enable custom emoji soon.