Background: A few hours ago, while doing a routine Google search for my domain to check if I had inadvertently exposed any details online, I stumbled upon an unexpected mention of my git domain. Intrigued and alarmed, I dug deeper and discovered that an unknown user had created an account on my Gitea server.

Update: maybe not hacked, take with a pinch of salt; registrations were open with e-mail verification, but my password didn't work.

The Hack (simple account creation):

• User Creation: The user, named 'O', somehow managed to activate their account in late April as if I had approved it myself. (They just verified their e-mail address.)
• Repository Upload: This user uploaded a massive 4.3 GB repository with a lot update history. It was allegedly forked from https://gitea.lolumi.com/O/O (this was last updated 2 hours ago)
• Password Tampering: I also found that my admin password had been changed, forcing me to reset it to log in and delete the user/repo. (Idk if it was changed, it didn't work)

On further inspection, I traced back a network of repositories all linked to this mysterious user 'O', hosted across different domains like https://git.pack.house/O/O and https://dagshub.com/O/O. Each repository is similarly structured under /O/O, and I can't for the life of me figure out why or how this user appeared in my system (seems it's just a matter of registering with the open access I didn't close). Storage network? Botnet? Full server & gitea user takeover?

Security Measures:

• After resetting my password, I deleted the unauthorized user and the large repository.
• I did a reverse lookup on the email address [email protected] used by 'O', which suggested this wasn't their first rodeo—there seems to be a pattern of hopping onto many domains with similar setups. I encourage you to google it yourself

Moving Forward:

• I've contacted a few other site owners who might be affected based on my findings.
• I'm considering purging my Forgejo instance. I don't use it much, and it seems to have been compromised.

Has anyone here experienced something similar? Any advice on further preventive measures would be greatly appreciated. I'm especially curious about any insights into stopping such sophisticated intrusions at the server level.

Thanks for any help or insights you can offer!

edit: My repository was in a list such as this one where they post all the repositories they have forked onto open access gitea instances: https://repos.itabas.com/O/O/commit/22dcc8bd6702fda980134df7c55962eea01e4156

Conclusion: don't allow ppl to register if you don't want strange people to register. Also enable e-mail notifications and stuff for events if possible.