Based on the Github / Rudd's new post, it looks like there was an "Evil Post" that contained a Markdown-to-Javascript escape and actually allowed the hacker to run Javascript in our web-browsers. Something to do with custom emojis?

So the problem was multi-fold.

1. The hacker created the "Evil Post", which constantly was stealing people's cookies. Anyone who viewed the evil post in a web browser (Chrome/Firefox/Edge) allowed the hacker to have access to their account (and anything you can do in the web browsers).

2. The hacker waited until an admin viewed the post. Then took control of the administrator's account, and likely a few other people's accounts as well. DMs containing the evil-Javascript post were sent to various moderators.

3. Hacker used the account access to just troll us.

Fixing #3 doesn't fix #2 or #1. So eventually, when #3 was fixed, the hacker just grabbed the admin-account and made everything back to the way it was.

The problem wouldn't be fixed permanently until #3, #2, and #1 were all fixed. Which they seem to be fixed now. But this "evil post" is going around the Federation. Other Lemmy-instances may have the post cached, and the users on those lemmies will likely have their JWT cookie also stolen (allowing the hacker to take over people's accounts those instances in a similar manner)