Jevel's Blog

generic Pinterest pixel art girl

A blog where I mostly talk about tech and other stuff extensively.

Navigate

28/02/2026

The Yesterweb's Geminispace Capsule Hack

Update (03/03/2026): Yesterweb has been set to read-only and will shut down for good at some point and be replaced by a new service. Update (02/03/2026): Although tsvety assured me that the malicious actor did not access certs and hashes, I still would be cautious. It won't stop me from looking for an alternative. 28/02/2026: This is a copy-pasted and slightly edited version of my original Fediverse post. You can read it here .
Screnshot of my empty capsule.
What is left of my capsule which I've been hosting since November, 2023. While all of files are magaed offline and thus stored locally, no data has been lost but I'm still pissed that two years of research plus some retrospective additions no longer are accessible publicly.

While Yesterweb's Discord and forum shut down three years ago, their Geminispace hosting service still was up, albeit in a neglected state. It lacked a valid certificate for a year and only a few weeks ago a new one has been issued that's valid until February, 2027. I emailed Iris ("seapunk") about this last year but never received a response and this should've been a clear sign that things got a little bad behind the scenes, even without being aware of the drama surrounding a few admins that tried to turn Yesterweb into some Lenin-style revolution .

Somewhere around or after 20 February, 2026 all capsules Yesterweb hosted on Geminispace got wiped of their gemtexts, only leaving empty directories behind. I was busy and bedridden around this time and only noticed it last night, so I emailed Iris again and was surprised to receive a response this time around but even moreso about them admitting that they don't even maintain Yesterweb's Geminispace capsule, despite their email being listed as the one to refer to when issues with Yesterweb's capsule hosting service arise. They forwarded my email to two other people, Tsvety and D4708, and the former gave a detailed response as to what happened:

"I am running that server, have backups, and control the domain (but not every service under it). First of all, let me apologize for the unexpected, unannounced, and unexplained going-offline. I became aware of this issue (thanks to D4708) on the morning of the 25th, the logs pointed to it having happened on the 23rd, and I immediately shut the server down. In an ideal world, I would send out a mass email to all users while I immediately work on a fix. However, I do not have anybody's contact info and have nary an ounce of spare time until the 1st, where I can only spend a few hours.

The logs only go back a week or two and seem to indicate that a malicious actor abused the webdav uploading service, deleted everything, and took a look through all of the server's files. I also saw log messages that show that somebody knows that this thing is running on PM2 and that they tried to log into ssh with specific PM2-related creds. It has kind of spooked me for a while that this has been running on my machine and I don't know what's inside of it, and this really confirmed that in my uninformed eyes. I had to fiddle with nodejs packages one or two years ago and I almost broke it."

Tsvety states that a backup exists but only for gemtexts and directories created up until 1 February, 2026. Anything that was published between 2 and around 23 February is gone, unless capsule owners kept their own local backups or some Geminispace crawler picked it up to archive.

"I can probably help somebody get this thing running on somebody else's server and point the DNS to them (ideal!). I can make an attempt to host this content with a mainstream gemini server as a bandaid, thus making the whole thing read-only. I can't do anything other than provide copies of the data until at least the 1st."

On 03 March, 2026, the capsule was set to read-only and the loading page has been replaced with the following text:

Wall of text
"hi my name is iris, i wrote the software that runs this service.

ok so . as im sure you're aware, the yesterweb "shut down" quite a while ago. like 4 years ago. yestercities stayed up as many users were still actively using it, but due to my own mental health and the community exploding, i stopped maintaining this service. sorry to those of you who continued to use it despite that.

recently, a malicious actor abused the a vulnerability in the webdav file manager that i had running in addition to everything else, and managed to delete every single user's files. thankfully, tsvety (the one who actually hosts this service) had automatic backups of everything. i've now created a read-only version of this service to allow users to collect any files they would like to keep.

moving forward, i did intend to create a new host on a new machine that is unrelated to the yesterweb, using new and improved server software. if this does happen, it will probably be closer to april or may of 2026. this page will be updated with information on migrating or signing up on that service.

thank you for using yestercities for so long"

Unfortunately, any read-only capsule with multiple directories can't be navigated normally and require to be accessed manually by appending the name of the individual gemtext to the new URL. This sadly revealed that this backup is not from early-February, 2026 but from September, 2025.

A manual diff of my status gemtext. Local copy on the left, the backup provided by Yesterweb on the right.
A manual diff showing my local copy of my Status gemtext and the backup provided by Yesterweb. I published many more entries, including a very recent "offline update" that currently is only online in my Codeberg repo. If I wouldn't have managed my capsule offline, parts of my research would've been gone entirely.

I do not want to play the blame game and point fingers at anyone in particular but what I am pissed about, on the other hand, is that they lied to me about the age of their last backup and ultimately revealed that they also neglected that for several months. I'm lucky enough to have multiple local backups but anyone who wasn't nearly as careful lost several months of gemtexts. This utter lack of proper of communication initially caused the "Yesterweb" to collapse in the first place and even after that none of the remaining people truly learned a thing or two from it. Hell, if I wouldn't have emailed Iris, they wouldn't have updated the landing page to mention the hack!

There's nothing left but move my own stuff somewhere else. I still don't know whether I'll stay on Geminispace and move to flounder.online or capsule.town OR go through the hassle of converting every gemtext into HTML or a different Markdown flavor to host on the HTTP web, further delaying the start of this year's observation season regardless. I'm still not fully recovered and my brain hurts from nearly losing two and a half years of work (which I luckily manage offline via local copies) AND reading about the 2023 drama shortly after.

© jevel | repth