Matrix.org hack forces servers offline, encrypted chat history lost

Matrix.org suffered a cyberattack which forced the group to boot all of their users out of the system.
Written by Charlie Osborne, Contributing Writer

Matrix.org has become a victim of a cyberattack which has forced the organization to overhaul its entire production infrastructure and inform users of a widespread credentials leak.

On Thursday, the developer of the open standard for real-time communication over IP -- including Instant Messaging, VoIP/WebRTC signaling, and Internet of Things (IoT) communication -- said in a blog post that an unknown attacker managed to gain access to the servers hosting Matrix.org.

According to the group, the hacker obtained access to a production database which, in turn, potentially granted them access to "unencrypted message data, password hashes, and access tokens."

The non-profit, of which its standard is used by decentralized chat platforms including Riot, WeeChat, Nheko, and Quaternion, was required to pull its home server and production infrastructure offline as soon as the breach was detected.

The disruption has caused hours of ongoing downtime, in which Matrix.org said the organization had run into issues "rebuilding production from scratch." Websites, databases, synapse, LBs, and media repositories were all impacted.

Modular.im homeservers, however, are unscathed.

See also: Yahoo data breach settlement effort reaches $117.5 million

"Source code & packages are unaffected," Matrix.org said on Twitter. "We do not think user data was targeted, but are playing it safe."

The group says that the security incident was caused due to vulnerabilities in the production infrastructure, namely, an outdated version of Jenkins, an open-source Java automation server.

CVE-2019-1003000, CVE-2019-1003001, and CVE-2019-1003002 were used to hijack and steal internal SSH keys to access the production infrastructure.

CNET: Julian Assange's defense against hacking charges, and where it falls short

Ethical hacker JaikeySarraf informed Matrix.org of the presence of these security flaws on 9 April. The next day, the Matrix team had pinpointed the location of the vulnerabilities and subsequently uncovered the full extent of the attack.

On 10 April, Jenkins was removed, revoking the attacker's access. 24 hours later, Matrix.org pulled its main home server offline and began rebuilding its production infrastructure.

All Matrix.org users have been logged out and have been asked to immediately change their passwords. While the attacker did not gain access to plaintext passwords, weak, hashed credentials could still potentially be cracked.

Unencrypted content -- including private messages, password hashes, and access tokens -- may have been compromised, which has led Matrix.org to log all users out and has also potentially prevented some users from being able to access their encrypted conversation history if no backups were in place.

TechRepublic: How to block SSH attacks on Linux with denyhosts

"This was a difficult choice to make," Matrix.org says. "We weighed the risk of some users losing access to encrypted messages against that of all users' accounts being vulnerable to hijack via the compromised access tokens. We hope you can see why we made the decision to prioritize account integrity over access to encrypted messages, but we're sorry for the inconvenience this may have caused."

The group is currently focusing on restoring services and rebuilding its internal systems. Matrix.org has promised that the organization will boost its security and stick to more aggressive patching practices in the future. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards