This disclosure is really lacking enough details to allow non-technical users to understand the scope of the vulnerability.
Based on my understanding, the supervisor API not accessible through the standard HA core ingress.
This seems confirmed here: Supervisor External API Access - #2 by CentralCommand
If the above is the case, I’d reword the statement to avoid spreading panic throughout the community as it is a serious one, with the supervisor API giving an attacker opportunities to compromise the entire HA instance and credentials to everything it was integrated with and if so, I (and pretty much everyone here) would like to know so that we can act.
Answer to HAS THIS VULNERABILITY BEEN ABUSED? is ridiculous, please provide more details to allow users to determine if they could have been compromised - even if it’s just a hint to review logs of ingress controllers for access to a specific path like /api/supervisor or something…