1. JWT stands for JSON Web Token. It’s basically a way for a server (lemmy’s) to put a piece of information in your browser in a way that makes sure it come from the server. It (usually) uses some form of digital signature. You can think of it as a note someone gave you with their signature, assuming said signature is very hard/impossible to counterfeit. The next time you see that person, they don’t have to remember you, they just have to check the signature. If it is valid, anything written on the note is taken at face value.

When you connect to a site, there are a few steps to validate that you are who you say you are (identification and authentication). Something like inputing you login/password. Since it would be tedious to do that on every requests, the first time you give your login/password to the server (this is the simplified version, this exchange is a bit more complex usually) the server gives you that JWT. For every subsequent requests, your browser automatically send that JWT that is simple to handle but hard to counterfeit, and the server safely knows that you’re whoever is written in that JWT.

2. I assume there will be a post here when more details are known, or that this post itself will be updated. As with any online service, it’s up to the service to decide if they want to communicate. (it may also be a legal requirements in some places to tell user when such an event occurs). Since we’re talking about obtaining other user’s authentication token including an admin, it is safe to assume that whatever an admin can see has leaked. This can range from basic user informations to more private stuff, although I am not familiar with the software behind lemmy. Note that this is a worst-case scenario; an admin impersonator could have access to anything an admin could see, it does not mean they immediately dumped everything. It depends on their motivation.

3. Protection against this kind of stuff Compromission of the JWT can happen in many ways and I don’t know which way was used. But if there’s a flaw in the software used (the lemmy’s client-side code, for example) there is not much you can do. JWT can leak through many things :

• server compromission (out of your control)
• client-side compromission (only happens when using a browser; applications that uses API should be less susceptible to that)
• vulnerable extension: if you have browser extensions, they can easily peek into what’s happening in any given page (that’s their whole purpose). Malicious extensions, or extensions that allow outsider’s some kind of control over them can leak data
• browser vulnerability: keep your browser up-to-date, and (this is controversial) stick to a family of well-enough known browser. That obscure browser that have 20 users worldwide and is based on a three years old version of chromium is not the best thing to use
• keep your data safe: only put the minimum required amount of data on any service. For lemmy, I assume an email address and your login/password is the bare minimum (well the email is already extra, but it’s very convenient to have). Some services really likes to get everything they can out of you.

Basically, stay up to date and don’t use shady stuff. Easy to say, I know.

1 - jwt is the authentication cookie u get when u sign in with ur password, ur browser stores the jwt and then any further interaction authenticates using it

2 - yes, userscripts, extensions, custom frontends, apps, all apps have access to jwt