Hackers have invaded LineageOS’s servers. They exploited a known software vulnerability to do so. No data or signing keys were stolen during the hack, but LineageOS will temporarily keep its services offline.
LineageOS has temporarily taken the distribution of new builds offline. The status page shows that this has been the case since Sunday night. LineageOS says on Twitter that an attacker has gained access to the company’s infrastructure. The website and wiki will still work, but users will not be able to download new versions of the Android operating system. That was already impossible, because an unrelated problem caused the distribution of builds to be stopped since April 30.
No data was stolen or manipulated in the attack, according to LineageOS. The hackers did not put any code into the builds or modify the source code. It is also important that, according to LineageOS, no signing keys have been captured. Those keys are used to authenticate the distribution, but according to LineageOS, those keys were on a different infrastructure than the one currently affected.
The hackers arrived on May 2, according to LineageOS. This happened through a leak in server automation tool SaltStack. On April 30, two vulnerabilities were found in Salt. CVE-2020-11651 and CVE-2020-11652 are vulnerabilities to perform remote code execution without authentication.