Earlier today, we emailed users about a security vulnerability affecting parts of our single-sign-on functionality. While we’ve fixed the vulnerability and have found no evidence of any exploit, we are publishing this post out of transparency.
On Tuesday, June 6, while auditing our authentication systems, we investigated a possible vulnerability related to our single-sign-on functionality. We patched the vulnerability the same day and proceeded to investigate whether any users could’ve been affected by it.
On Thursday, June 8, we identified a subset of users who had previously used our single-sign-on functionality and were potentially exposed to this vulnerability. In particular, if the email address on record for a user’s Replit account was not already tied to a GitHub account, an attacker could have created a GitHub account by re-using the email address on record for the user’s Replit account. Under certain conditions, it would have been possible to use that fraudulent GitHub account to impersonate the affected user on Replit. While we have no evidence that a third party logged into any Replit account this way, out of caution, we have logged out of all Replit sessions all users who we could identify as potentially fitting these criteria.
Additionally, out of an abundance of caution, we have logged out all users who have ever used our single-sign-on functionality with a GitHub, Facebook, or Apple account.
We take the security of our users' accounts seriously. We continuously perform security audits and, when we discover issues, we proactively address them and harden related systems. In the coming months, we will continue to make substantial improvements to our authentication systems to make them more secure and user-friendly.
If you are experiencing trouble logging back into your account or have additional questions, please reach out to support.