Hacker News new | ask | show | jobs
by feanaro 1933 days ago
No keys were revoked (nor does Element have the power to do so). What happened was that existing user login sessions were destroyed and users had to log in again.

If you had either backed up your keys locally or had an encrypted copy of your keys stored on the server-side as a backup, no access was lost.
1 comments
notyourday 1933 days ago
If the keys were associated with a session, then it quite literally demonstrates how clueless the company and its engineers are:

1. Send a message to the users with the existing sessions telling them to create backups.

2. Have users confirm that the backups were created

3. Log users that created backups out.

There's no excuse at losing user's data. Ever.

link
Arathorn 1933 days ago
I ran the response for the Apr 2019 incident that you're digging up, and fwiw:

* The breach impacted the free best-effort matrix.org server & infrastructure, not Element Matrix Services (the subject of this HN thread).

* We didn't "revoke user keys", we logged users out on matrix.org whose password hashes & login access tokens had been exposed.

* At the time we were in beta, and there was only one mechanism to logout users: a 'hard logout' used to evict client sessions which would cause them to clean up their local data; the common case where as a user you want to kick off old sessions and don't want to leave your keys littered around. Before exiting beta in June 2019, we implemented 'soft logout' as a mechanism to expire access_tokens without clients cleaning up data: https://github.com/matrix-org/synapse/issues/4280. Given the urgency to protect user data immediately after the breach, we couldn't release new clients to expedite soft logout, so had to go with hard logout.

* However, any user who backs up their E2EE keys, either online (the default configuration), or offline was unaffected. To repeat: the default configuration was to nag the user into backing up their keys, encrypted, on the server, for precisely this sort of situation. And to the best of my knowledge I don't recall anyone who reported having lost data to us.

link