&TLDR; social hacks > exploits. Keep an eye on your repository and org permissions. Don't take sweets from strangers. (Thread)
A deep investigation of post-mortem database dumps and backup dumps revealed that users with valid permissions had given other users owner status, who then mutilated content, deleted the org, then someone created a username with the same name as the previous org with misleading content, so that external links now pointed to the new content.
This implies the rogue user had gained access to the group not by exploit, but by social engineering.
So, please: Keep the number of owners limited, and be sure to trust each other. Use a git-flow that does as little as needed on the "hot" repos (and think twice whether you need force-push always enabled. force-pushed changes cannot be undone with git tools unless there are backups).
Use pull requests. Easy to review, easy to manage, and only the project maintainers/owners need full access to the repo to merge them.
@codeberg Thanks for the transparent information! I'm glad it wasn't a software security issue...
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either! We adhere to an adapted version of the TootCat Code of Conduct and have documented a list of blocked instances. Ash is the admin and is supported by Fuzzface, Brian!, and Daniel Glus as moderators. Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!