-
Hmmm.
In my haste to fix it I did not make a record of the affected accounts assuming that the audit logs would record this information.
The audit logs have recorded things like:
Delete user_id: 58b039670bdcab0a0ebf56df.Which is now useless given that the accounts were deleted as part of the mitigation / cleanup.
There were 8 affected accounts, 1 of whom knows about it as they were included in the PM that notified me of the bug. The others I'm afraid I do not have a record of, as the audit log does not show that and I deleted them using a query (didn't explicitly see who, just noted the number for sanity and proceeded).
I was hoping to finish by contacting the affected users, but on this occasion I've prevented myself from doing so. In future, when dealing with an incident I'll note this as I go along.
-
Post a reply
About
Security Alert: For 3 hours this afternoon a small number of people were logged in as someone else.
Posted by
@Velocio
A bug in a script on our auth0 account which was supposed to merge duplicate accounts merged unrelated accounts.
The background is that when you sign in with email, and also with Google... this would create 2 accounts for you. To avoid duplicating these and potentially giving you fresh accounts on the forum every time you sign in using a different method... these should be merged.
The script to do this was changed today to use a new API provided by auth0, and the script contained a bug that meant it sometimes merged accounts even if the email did not match.
What this meant is that for a small number of people (fewer than 10) someone else may have logged in as them.
I was notified shortly via PM that this was happening, and have immediately:
If you were signed out... it does not mean you were affected at all. I am just being overly cautious on who to revoke the sessions for.