Someone pulled off a js injection attack, where they put javascript into some comments or messages that would get executed by others seeing it in the web interface. The js sent the session cookies to the attackers, who got some admin sessions that way and took over lemmy.world for a bit. Given they only got the logged in session on the webinterface the damage was likely contained (i.e. no data stolen for example)