same here we lost alot of accounts of our clients, it was setting wrong authentication headers when sending api requests (mixing them up) this never happened in the last months, no code changes. We are shutting down our account and moving on might buy our own server, way better.

2 weeks ago the serverless hosting proven to not be serverless

We just had the same issue with XHR requests, confirmed as Railway incident here https://status.railway.com/incident/X0Q39H56

We had something similar. This is a huge issue and data breach incident.

Same happened here too

Wow... This data caching caused customer specific info to be leaked to other customers for my application. Unacceptable.

Same here.

Lot of personal data got messed up between users.

This is just crazy.

I won't be surprised to see a lawsuits because of that.

WTF. Does someone from Railway have any comment?

We have been getting the exact same issue!

We've had loads of users suddenly being logged in as other random users, allowing them to see other peoples private/sensitive data!

Yes, we had a major security issue. Customers were logging into their account and seeing other customers data. This is not good at all. A lot of very angry customers!

Yeah, I just switched to Coolify cloud on a Hetzner server, and I use Docker Compose to deploy the application. So sad that Railway seems to be falling apart because the workflow is such a pleasure.

Can we get logs for affected cached requests to determine our customer impact?

We were not notified about this incident. We discovered it only after receiving support tickets from users reporting they were seeing someone else's data in the app. We then spent over an hour investigating our own codebase, database RLS policies, and infrastructure before discovering the incident via a community forum post. For an incident involving user data exposure across accounts, direct and immediate notification to affected customers is the bare minimum. A status page banner is not sufficient.

This is the latest in a series of major incidents since February (DDoS/Cloudflare outage, deployment failures, DNS resolution failures, and now a data leak). We've stuck with Railway through all of them, but a data privacy incident with no direct notification is a different category entirely. Have already switched but will be needing some sort of compensation for this as we lost over 50 paid users today.

What happened today was an absolute disgrace. As people have already mentioned, without even saying a word, I went crazy trying to work out what I could have done with our code. What a year for Railway... it’s definitely time for a change; what happened today is unacceptable – users seeing other people’s private information, everyone going crazy and messaging me... it’s a disgrace.

Railway should have immediately called everyone affected, or at least sent an email. An inoffensive banner about something that doesn't look relevant to anyone does not communicate the urgency of this incident.

This is fucking insane. We have hundreds of users and earlier today EVERY SINGLE USER was logged into the same account, which contains private information, card details, orders etc. Did we get notified about this issue? No.

Tons of messages from upset users that couldn't log in to their accounts because they got sent to another account, I couldn't even log in to the admin side.

It wasn't long ago that Railway was down for hours. The F is happening?? I am hoping to get compensated for this.

This isn't just "sorry for the 2 hour downtime" this is data and credentials leak and can have serious consequences for our company. How was we not IMMEDIATELY notified about a critical fault? Instead we got notified after the fact??

I'm flabbergasted.