A brief update to the summary from yesterday.
Incident window on September 3 between 10:40am to 11:41am Sydney time (12:40am to 01:41am UTC).
This was not a malicious attack and there was no Kinde data breach from an external attacker. We caused it.
The deployment was rolled back 61 minutes after the bug appeared, fixing the issue. Users who logged in outside of the incident window are not affected.
Only OAuth and OIDC type connections were impacted, such as all social authentication connections and the Entra OAuth enterprise connection.
Email, username, SMS, and SAML connections were not impacted.
There was no cross-business profile exposure.
For each of your OAuth2 or OIDC connections, the first user to authenticate during the incident window became the profile for subsequent users on that OAuth2 or OIDC connection.
For example, say user 1 authenticated at the beginning of the incident. When any subsequent user authenticated (e.g. user 2, 3, and 4) they were shown the profile for user 1.
Less than 100 user profiles globally were exposed by this incident.
Sessions and tokens during the incident window were identified and invalidated by the evening of Sep 3 Sydney time.
The Kinde team are actively reaching out directly to impacted Kinde businesses who have had authentication sessions during the incident window to provide further information and assistance.