Project Invite Token Information Leak

We recently discovered that some API endpoints were leaking project invite tokens (the tokens that allow users to follow joint links to gain access to a project). This was caused by a code change we deployed three days ago. The leak has been fixed and the project invite tokens have been regenerated. It is possible that during this time projects may have been accessed by unauthorized users. We therefore recommend that you change any keys that were stored in .env.

We are taking this time to improve our code review policies and putting tools in place to prevent and mitigate situations like this in the future.

Update: We found another case where some project invite tokens were still being leaked. We’ve put a fix in place and invalidated all existing invite tokens again.