Kinde - Notice history

All systems operational

Notice history

2025 Sep

High latency for AU region
  • Resolved
    Resolved

    This incident has been resolved and our team will continue to monitor.

  • Monitoring
    Monitoring

    Latency has returned to normal and we're monitoring performance now

  • Investigating
    Investigating

    We are currently investigating this.

Known authentication errors
  • Postmortem
    Postmortem

    Post-incident report now available.

    Following the incident of 3 September 2025, we've now prepared a post-incident report, containing detailed information about the root cause, remedies, future actions, etc.

    View post-incident report.

    If you have any questions, or need any additional information, please reach out to us by email, or in our Slack and Discord communities. We're here to support you however we can.
    Again, we are deeply apologetic for the inconvenience caused to you and your customers. We are making it impossible to happen again.

  • Update
    Update

    A brief update to the summary from yesterday.

    Incident window on September 3 between 10:40am to 11:41am Sydney time (12:40am to 01:41am UTC).

    This was not a malicious attack and there was no Kinde data breach from an external attacker. We caused it.

    The deployment was rolled back 61 minutes after the bug appeared, fixing the issue. Users who logged in outside of the incident window are not affected.

    Only OAuth and OIDC type connections were impacted, such as all social authentication connections and the Entra OAuth enterprise connection.

    Email, username, SMS, and SAML connections were not impacted.

    There was no cross-business profile exposure.

    For each of your OAuth2 or OIDC connections, the first user to authenticate during the incident window became the profile for subsequent users on that OAuth2 or OIDC connection.

    For example, say user 1 authenticated at the beginning of the incident. When any subsequent user authenticated (e.g. user 2, 3, and 4) they were shown the profile for user 1.

    Less than 100 user profiles globally were exposed by this incident.

    Sessions and tokens during the incident window were identified and invalidated by the evening of Sep 3 Sydney time.

    The Kinde team are actively reaching out directly to impacted Kinde businesses who have had authentication sessions during the incident window to provide further information and assistance.

  • Resolved
    Resolved

    We will be closing this incident on the status page, however updates will still be provided here publicly and directly to customers where required.

    Only users who logged in during the hour long incident window were impacted.

    The initial bug from this morning was resolved. All impacted sessions and tokens for the Kinde admin have been invalidated. Additionally all customer sessions during the incident window have been invalidated on the Kinde side.

    We are compiling a list of users impacted and will be reaching out directly to customers to verify if there are any cached access or refresh tokens that need to be invalidated.

  • Update
    Update

    The team are continuing to investigate the total breadth of the incident, specifically with the invalidation of logins during the incident. We will continue to update this status page with high level information and directly to customers for information specific to their business.

  • Update
    Update
    \-- -- Apologies for the broken formatting on this longer update. We will provide a nicer view of this report in the coming days as part of a post mortem -- -- To all the Kinde customers impacted by the authentication incident that occurred today (3 September 2025) at 10:40am Sydney time, we are so sorry for the impact this has had on your businesses. It was entirely our fault. We fu\*#ed up. We accidentally introduced an authentication bug during a routine feature deployment. The bug has been fixed and we are swarming to respond and remediate. More updates will be posted to our status page, where you can subscribe to the incident and receive updates. If you have one, please use your dedicated channel in Kinde Slack. \-- -- Summary -- -- This was not a malicious attack and there was no Kinde data breach. We caused it. Social auth connections were impacted (not enterprise connections). End-users who authenticated during the incident were signed in to a profile that was not theirs. We are working to invalidate all sessions that were signed into during the incident period. This will invalidate auth tokens and force the affected users to sign in again. The deployment was rolled back 68 minutes after the bug appeared, fixing the issue. Users who sign in to your app now, will be unaffected. This is being treated as a security incident due to the impact to users when using our customer’s products, however Kinde has not been breached. \-- -- What we know -- -- A recent code change was deployed introducing a bug that redirected authenticated users to the wrong profile. They signed in as usual via social authentication, but the bug assigned the incorrect user ID to them when returning to the app. This effectively showed them the profile of another user after the login. Users logging into the Kinde admin were also impacted when using the Google or Github authentication options, and were directed to the incorrect organisation selector. To the best of our knowledge, enterprise connections (such as SAML and MS Entra OAuth2) were not impacted by this bug. \-- -- Current actions -- -- The bug is fixed. Here’s what we are doing right now: Determining how many users were affected. i.e. the scope of the incident Working out the best remedy (i.e. invalidate invalid sessions) to impact the least users Running diffs with a restored copy of the data prior to the incident for validation Performing a code analysis of the change We will reach out to customers directly with more information, as we have it. \-- -- Incident timeline - 3 September 2025 -- -- Change deployed at 10:40 am Sydney time First notification of incorrect logins is 11:07 am Sydney time Change reverted at 11:41 am Sydney time Total duration where a user could log into the wrong profile: 61 minutes
  • Monitoring
    Monitoring

    Sydney region is operational and user sessions are in the process of being invalidated.

  • Identified
    Identified

    There is high latency for the Sydney region currently.

  • Update
    Update

    We are currently working on invalidating all sessions that took place during the incident.

  • Monitoring
    Monitoring

    We implemented a fix that resolves the issue and are currently monitoring the result. This is being treated as a serious incident and our team is working urgently.

  • Identified
    Identified

    We have identified a critical authentication error affecting Social SSO, email and SMS.

    Enterprise Connections/SSO are not affected.

  • Investigating
    Investigating
    We are currently investigating this incident.
SMS delivery for Sydney region failing
  • Resolved
    Resolved
    This incident has been resolved.
  • Monitoring
    Monitoring
    We implemented a fix and are currently monitoring the result.
  • Investigating
    Investigating
    We are currently investigating this incident.

2025 Aug

Access to Kinde admin errors
  • Resolved
    Resolved

    Fix has been applied and Kinde admin errors are now resolved

  • Investigating
    Investigating
    We are currently investigating this incident.
Performance issues with auth
  • Resolved
    Resolved
    This incident has been resolved.
  • Monitoring
    Monitoring

    We implemented a fix and are currently monitoring.

  • Investigating
    Investigating
    We are currently investigating this incident.

2025 Jul

No notices reported this month

2025 Jul to 2025 Sep

Next