We want to report that we encountered an incident today impacting some of our cloud users over a limited amount of time.
Over the last few days, we have conducted major migrations of our cloud services, moving to a new infrastructure with a double purpose :
-
we have added the foundation for a SSO (Single Sign On) mechanism that will allow all users to authenticate using only one account across all our websites, instead of having a dedicated account for each of them. For instance, users of community.e.foundation will eventually be able to sign in to gitlab.e.foundation with the same account
-
we have deployed a new user interface at ecloud.global, and new features, that will make users’ life easier and the service more appealing.
This migration has gone globally well until today, when we detected a human error with one of a final migration scripts that was meant to fine tune the system performance.
On Sunday 29th of May, between 08:59 and 9:15 UTC, this error lead to an unexpected state of our cloud services, when we encountered some authentication issues. Some users may have been authenticated as a different user. For a limited amount of users, this resulted into viewing content from another users, especially pictures, notes and various files.
This bug didn’t impact email.
We’re still investigating if this issue had any impact with contacts and calendar data, but so far we haven’t been able to confirm it is the case.
After the bug was corrected, the authentication issues were solved and the service was working properly. Impacted users normally all got their own content back on their cloud.
We’re still figuring out if some users are still impacted since some side effects are possible.
We have found that this bug could have impacted at maximum 3307 users (about 5% of ecloud users) for 15 minutes, if they were connected to the service.
So far, 4 users have contacted us about this issue.
We ask users who would have some doubts about the situation to contact us at helpdesk@e.email to get more information whether their account has potentially been impacted or not.
Finally, we want to state again that personal data stored at ecloud.global is encrypted server-side. We have been asked why it’s not “End-to-end encrypted” (E2EE). E2EE is the ultimate answer to protect data, but it’ s a complex topic, and today, most clouds are NOT end-to-end encrypted. Moving to an end to end encryption is a goal to guarantee the best service possible in the long run. We hope to give some good news about this by the end of 2022.
Although this happened during an exceptional and major migration process, we sincerely apologize for this very unexpected situation. Privacy and transparency are 2 important cornerstones of our project, and what we strive for, to gain and keep your trust.
We’re consolidating our processes to ensure it won’t happen again.
We will share more information about our findings within 72 hours.
We thank you again for your trust.
Best regards,
Gaël & the team