Cyber Incident Victim: Matrix.org
Date:
Apr 2019
Location:
United Kingdom
Summary
Matrix.org experienced a cyberattack exploiting vulnerabilities in an outdated Jenkins automation server, enabling unauthorized access to production infrastructure through stolen SSH keys. The breach compromised unencrypted message data, password hashes, and access tokens, prompting a complete rebuild of servers and services that caused extended downtime. All users were forcibly logged out and advised to reset passwords due to risks of credential cracking, while encrypted chat histories may have been permanently lost if backups were unavailable. The incident did not affect Modular.im homeservers, and the organization responded by removing the compromised Jenkins instance, revoking attacker access, and initiating infrastructure restoration alongside commitments to enhanced security practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 9, 2019, an ethical hacker alerted Matrix.org to security vulnerabilities in its production infrastructure, specifically identifying three critical flaws (CVE-2019-1003000, CVE-2019-1003001, and CVE-2019-1003002) in an outdated Jenkins automation server. These vulnerabilities enabled an unknown attacker to compromise internal SSH keys and gain unauthorized access to Matrix.org’s systems. By April 10, the Matrix team confirmed the breach and determined the attacker had infiltrated a production database, potentially exposing unencrypted message data, password hashes, and access tokens. The same day, Matrix.org removed the vulnerable Jenkins instance to revoke the attacker’s access. On April 11, the organization took its primary homeserver offline and initiated a full rebuild of its production infrastructure, including websites, databases, synapse servers, load balancers, and media repositories. Modular.im homeservers remained unaffected. The incident caused prolonged service disruptions as the team encountered challenges reconstructing systems from scratch.
The breach compromised user credentials and communication data, though plaintext passwords were not directly accessed. Weak password hashes remained vulnerable to cracking, and unencrypted private messages faced potential exposure. Matrix.org forcibly logged out all users and advised immediate password resets. Encrypted chat histories were permanently lost for users lacking backups. The organization prioritized restoring services and strengthening internal security measures, pledging to adopt more aggressive patching practices. No evidence suggested attacker motives or data misuse, but the incident underscored risks tied to outdated infrastructure components. Recovery efforts focused on rebuilding systems while mitigating further unauthorized access.