@forteller@octodon.social @thibaultamartin the details are on https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2
It allowed someone to sign up on an instance that was set to only allow sign-ups from specific email-addresses. It did not give access to any existing accounts or communications.
as a sidenote, the Ars Technica article about this has some factual errors, the matrix.org tweet linked refers to a different incident, which was unrelated to Matrix/Synapse