A fix has been implemented and we are monitoring the results. We’re continuing to limit the ability to reset your password from the login interface, only logged in users can normally change their password using the "Change Password" button. Thank you for your continued patience and understanding while we monitor these newly implemented fixes.
Posted Dec 05, 2020 - 14:14 UTC
Identified
A non-handled type of issue showed by an SMTP connectivity issue to Google Workspace due to a conflict that happened with the service firewall. The issue resulted in showing sensitive information for password change tokens that can be used by an attacker to change the password account as if they were the account-holder themselves.
As part of the additional security measures we’ve taken, we applied careful review of all the accounts that requested a password reset in the last 30 days using unrecognized devices or IPs, we made sure that all their transactions and requests are safe and secure. No accounts were affected. Moreover, we received no reports to date regarding transaction issues or balance-related issues. Our system can recognize the logins using unrecognized devices or IPs and can monitor that for any suspicious activities.
We’re continuing to limit the ability to reset your password from the login interface, only logged in users can normally change their password using the "Change Password" button. We're working to get things back to normal as quickly as possible. We hope that our transparency throughout this process, and sharing all the related updates through our status page, is helping everyone to be informed of the incidents happening, even if no accounts were affected.
Posted Dec 05, 2020 - 13:12 UTC
Investigating
We are currently investigating an issue related to the self-service password reset using the email address. We are investigating and taking steps to fix it. You may be unable to reset your password using your email address or phone number while we review and address this incident. Thanks for your patience.