The two things the hacks required were
- Custom Emojis
- a local user on the instance to be taken over
since I know who are the users on this instance, neither of these things were an issue so we were not at risk of the hack such as it is right now.
We’ve upgraded our lemmy-ui to the very latest 0.18.2rc2 to further mitigate the potential issues, and I ran the postgresql commands proposed in the below thread to ensure nothing bad got in anyway:
https://github.com/LemmyNet/lemmy-ui/issues/1895#issuecomment-1628270766
There were no custom emojis listed, but there were 8 posts including the offending onload command. They were deleted without incident. As a final result everyone will have to log back in.
This is yet another example of how decentralization is strength – major instances were in trouble as a result of this, but many smaller instances never saw a thing.