It was a caching issue, all customers were served the same cached response even if they did not belong to their session

Hi,

I'm sorry for the incident and for the delay in responding here. The past few days have been spent investigating the full scope, coordinating with our upstream CDN vendor, and working with counsel to ensure we communicate accurately.

To confirm: this was a platform-side issue, not your application. On March 30 between 10:42 and 11:34 UTC, a configuration change to our CDN edge layer caused GET responses to be incorrectly cached and served across users. Our initial notification was sent to customers we could confirm were impacted based on the data we had at the time. Since then, we've been cross-referencing our traffic records to identify all potentially affected domains, which is why this follow-up is coming now.

Regarding your question about responsibility for financial loss from users acting on other users' sessions: only GET responses were cached during the incident. POST requests (including form submissions, transactions, and state-changing actions) were not cached. This means users may have seen another user's data, but actions taken via POST requests would have been processed against the correct authenticated session on your origin server.

The full incident report is available at Incident Report: March 30th, 2026 - Accidental CDN Caching. If you need help assessing impact on your specific domain, let us know and we can pull your traffic data from the incident window.

Again, I apologize for the disruption this caused you and your users.

Best,

Angelo