Hey there! We've found the following might help you get unblocked faster:

• 🧵 Image Storage

• 🧵 Github error

• 📚 Webhooks

If you find the answer from one of these, please let us know by solving the thread!

Found this github account

https://github.com/echohack

Which reads:
Solutions Engineer @Railway

Why does he have access to my project?!

Hey RJ - That is David Echo - he is an employee here at Railway.

That's less worrying but still - why does he have access to my project? He shouldn't have... no one other than me should have access surely? I have ENV secrets in there for a start.

Yes, Railway might have debugging access but definatly not project level access.

Hey RJ. Employees at Railway have the ability to look at Railway projects for debugging indeed. That's what this is.

Let me know if you've got any additional questions.

Jake Cooper

Founder @ Railway

Hi Jake,

Thanks for the clarification — that does help put my mind at ease a bit.

That said, a couple of things still feel a little unclear from a user perspective:

• Can Railway employees see environment variables in plaintext?

• The way this appeared in the UI (seeing another user's avatar with no context) was quite jarring — I didn’t know they were a Railway team member, and it initially looked like someone had been added to my project without my knowledge.

• Is there any particular reason this access happened now? Curious if something triggered it.

I totally understand that sometimes support or debugging requires Railway staff to jump in, but I think a quick heads-up or some sort of audit trail would go a long way towards making that feel more transparent and safe — especially when secrets are involved.

Appreciate your time, and thanks again.

• Can Railway employees see environment variables in plaintext?

They would have to trigger a decryption which would show up in the activity log (bottom right)

• The way this appeared in the UI (seeing another user's avatar with no context) was quite jarring — I didn’t know they were a Railway team member, and it initially looked like someone had been added to my project without my knowledge.

Agreed. We've already escalated this to make it MUCH more clear cause we agree 100% it's jarring

• Is there any particular reason this access happened now? Curious if something triggered it.

Unsure. But they'd have had your project open.

I totally understand that sometimes support or debugging requires Railway staff to jump in, but I think a quick heads-up or some sort of audit trail would go a long way towards making that feel more transparent and safe — especially when secrets are involved.

The project actions log in the bottom right should cover this. Anything else?

Thanks, and appreciate the fact that it's already been escalated to make it clearer.

Suggest instead of the user's name and avatar it displays the Railway logo with the tag "Railway support staff are working on this project" or similar?

The project actions log in the bottom right should cover this.

There is no entry at all related to this new user. Perhaps by design, as they haven't done anything but just pointing it out, in case you'd expect it to show they were added to the project.

They would have to trigger a decryption which would show up in the activity log (bottom right)

I tested this by viewing a variable (presumably triggering a decryption), and again, no new entry in the activity log.

I am far less concerned now than when I was waking up to this, so thanks! (didn't help the user has the word 'hack' in their name!!)

Suggest instead of the user's name and avatar it displays the Railway logo with the tag "Railway support staff are working on this project" or similar?

Oh this is actually a great suggestion! I'll forward it to the team.

I am far less concerned now than when I was waking up to this, so thanks! (didn't help the user has the word 'hack' in their name!!)

Lol. Yea that's, deeply alarming

Regardless, hopefully this abates that worry. We take your userdata and privacy very seriously; all admins are required to use 2FA + additional security.