On May 6th, 2020, for the total duration of approximately 15 minutes, Rollbar experienced a short “split-brain” in one of our databases. As a result, some Rollbar notifications to customers contained limited data that belonged to another customer. We promptly discovered and remedied the issue, and our team has analyzed the scope of the exposure to determine what data may have been inadvertently shared with other Rollbar customers. Note that this incident occurred during maintenance and was not caused by any actor outside of Rollbar.

We have determined that there are two groups of Rollbar customers. First group - whose limited data might have been inadvertently shared with another Rollbar customer account via a notification over a private channel. And the Second group - whose data has not been affected as part of this information exposure. At the time of this announcement, Rollbar is not aware of any cases where information shared with another Rollbar customer has been used or accessed in an unauthorized manner.

Rollbar inadvertently shared this information over a private notification channel, and only to a limited number of Rollbar customers. No data was publicly visible or accessible in connection with this incident. Based on the information exposure, Rollbar characterizes this issue as a medium severity impact.

Customer Impact and what Data has been exposed:

After thorough investigation, Rollbar identified the customers who were impacted as part of this incident and notified each customer. For the affected customers, Rollbar has found that only the item title, project name, and account name were exposed. \(Raw event data, such as the stack trace or variable values, were not exposed.\)

CVSS Score: 4.7

‌

Rollbar Response to Information Exposure:

Rollbar has taken the following actions to contain and limit the exposure of data that has been inadvertently exposed to another Rollbar customer:

• Rollbar has investigated and found the customers who might have been sent other customers’ data inadvertently. Rollbar reached out to this customer group to:

  • Request them to delete the data they received belonging to another customer.

  • Remind them that all Rollbar customers need to report any potential information disclosure to Rollbar directly as per the Rollbar Responsible Disclosure Policy.

  • Remind them to not share any data belonging to other Rollbar customers publicly in any form.

• Rollbar has investigated and notified customers whose account data may have been shared with another Rollbar customer via a notification over a private channel. If the account data included any sensitive data such as an access token, Rollbar has requested the affected customer to recycle them.

‌

Rollbar has not found any evidence that Rollbar customer data has been exposed to anyone other than as described here and has not received any evidence of exposed data being used or accessed in an unauthorized manner.

We take the protection of our customers' information very seriously and are taking steps to prevent similar incidents from occurring in the future. The Rollbar team is available to address any concerns in this matter at security@rollbar.com.