issue is on railway, multiple people are having issues with the mongoDb and possibly more including me

I can confirm it's railway, we're having the same issues, we just browght down our infrastructure due to this problem.

Also happened to me and all my users!

We restarted the server and solved it. But it should not happen

we restarted several times and it did not make effect. This is absurd, it's a huge problem.

I have a cached session seeing another user here. We restarted the service and now it seems working again but this mean I can still see this user's session.

Will wait for a full incident report and know what happened because it had a serious impact on our business.

That was the final straw, WE ARE MOVING OUT ASAP

Honestly. There is no other way than migrating away from railway. Cant be worse than that.

We really need compensation for this, major security breach. Unhappy customers. My whole day ruined.

guys is this 100% resolved now? can we re-enable our infra?

Happy that this seems fixed.

But we have received multiple complaints from our customers and this situation is raising serious concerns.

As a platform serving professionals in a highly regulated field, we explicitly guarantee our users that their data is safe and handled with the utmost care. You can imagine the impact when they logged in and found themselves viewing another user's data.

This is not just a technical inconvenience, it is a breach of trust that directly undermines the credibility we have built with our customers. We need a clear explanation of what happened, what data was exposed, how do you think to compensate us for this mistake and what steps are being taken to ensure this never occurs again.

Can we get logs for affected cached requests to determine our customer impact?

Today we lost customers and revenue, and we are now at risk of being sued for leaking medical data. I know you are also extremely disappointed with what happened, but we need support from Railway at this moment. The least you can do is:

• A public announcement about the incident that I can share with customers
• Some form of compensation

whole day? whole fucking year. i think i lost years of my life today. i need a vacation

Can you confirm this only affects requests/responses with Cache-Control public headers?

We're running a PNPM monorepo with a next.js web app with custom Node/Express server, and separate Node/Express server. No explicit caching set up. Are we likely to be affected by this from a security perspective?

I think there is problem with some machine and connections, i cannot connect my mongodb one of my machines.

i think this is a case for the lawyers. confidential data has been exposed to other users, we had to completely shut down our service temporarily. this has REAL legal and business implications.

also - why was there no MAJOR alert, maybe even via email since you apparently new who was affected? we were informed about the issue by our users who reported seing others' private data.

Agreed. Confidential user data got exposed to other users on our platform. One user's private data (name, relationship details, personal content) was cached and served to completely unrelated people. Multiple support tickets, lost paying subscribers, and zero notification from Railway. We found out from our own users. A status page banner doesn't cut it for a data breach.

Affected all users and leaked data, you are such a immature. Will switch back to AWS.

@phin

Too late. We found out from our own users, not from Railway. Had to shut down our service, investigate for hours thinking it was our bug, and handle support tickets from paying subscribers who saw another user's private data.

This is a PII exposure incident that triggers breach notification obligations depending on jurisdiction.

Tenants in app were seeing other tenants data. Personal information, contact details, financial info, this should NEVER happen, EVER!!!! It is very serious indeed. My customers are very upset and worried. I now need to report to ICO as Railway is data processor under GDPR regulations. I am shocked this could happen, it is something that should never happen, ever!

Same here! I am also up for that

Is that all now? A lousy e-mail as apology?

Honestly, in every incident report I read "less than 2%" or this time "less than 0.5%" of users were affected. How come it ALWAYS hits us? Bad luck I guess.

What about compensation for lawyer fees? Migration costs? Potential customer losses? Hope you spend some of your 100M funding on compensation at least.

All this is just pathetic. You guys at least got an apology email? I had to drop everything I was doing just to try to wrap my head around this whole mess while my client sat on the phone, pissed, because their whole business was stuck and couldn't even sell anything in the middle of a shift change. And all I can show them is this little blog post you called a postmortem. There is no way this was just 0.05%. But sure, let's just ship another new feature with another 3rd-party service. What could go wrong? How can you even ship a CDN without any way of doing a cache purge?? Hell, the CDN is not even in the docs.

Don't trust this number, percentage should be much higher. Some of people don't yet received any email such as me. Even though I am affected.

Our app became unuseable for hours during this ordeal last night - normal requests that should have taken a few seconds were taking 1-10+ minutes or hanging completely, affecting enterprise customers. Nothing on the status page describing the CDN situation indicated this could be related so I was debugging from my end. I posted a support thread where the AI support agent indicated this WAS caused by the CDN issue (still no human response) so I urgently moved ourselved to another provider and pulled an all nighter to get ourselves back online and to do a damage control audit, investigating for potential security and data breaches due to Railway's error. I have not received an email from Railway although they said they have emailed all affected users hours ago.

https://blog.railway.com/p/incident-report-march-30-2026-authenticated-user-data-cached

"Impacted customers were notified before releasing this press release.

If you have no email, you are not impacted."

We were VERY impacted, yet no emails. Care to explain?

I'v e also opened a thread during the incident: https://station.railway.com/community/railway-caching-all-http-responses-inclu-30bbbbb4

We are seriously concerned. I work with @Fr, and not only did he write a thread during the incident, but both of us continuously commented on these blog posts while the incident was unfolding, explicitly reporting our issue.

What concerns us even more is that we were undeniably one of the impacted companies, yet you do not recognize us as such.

What kind of systems do you use to diagnose these events?

We experienced SERIOUS issues. When I was personally logged into my account, all requests were being cached and my data wasn't updating. We then discovered the problem was much more severe: other people were logging in WITH MY ACCOUNT. Since it is an ADMIN account, they could potentially see and do anything!

We had users logging in as other users, gaining access to extremely sensitive data. And now they have been complaining to us since yesterday morning.

The damage we have suffered is beyond unacceptable, and you haven't even included us among those affected by the incident? We are shocked.

We demand immediate action from your team,. We expect an email or direct contact from you regarding this matter as soon as possible. We are truly appalled.

"Impacted customers were notified before releasing this press release.

If you have no email, you are not impacted."

We have been 100% impacted and still haven't received any communication.

To be honest at this point a "we are sorry email" makes no difference to me. The email that I would have wanted is the "we have messed up, you need to take a look immediately" instead of noticing the issue thanks to reports of our own users.

Excuse me, but where is my email? My users have had their sessions mixed up - how the hell do you even determine "who was affected"? By checking the thread here and emailing the loud ones?

We were definitely affected and have evidence of it, and have not got any email or response so far from Railway. We all urgently need the logs from their CDN to do our own forensics ASAP. This is a massive problem.