June 6, 2023, Single-Sign-On Security Vulnerability

We investigated a possible security vulnerability in our single-sign-on functionality on June 6 and patched it the same day. We then identified a subset of users who may have been exposed to this vulnerability, particularly those whose Replit account email address was not tied to a GitHub account. To err on the side of caution, we logged out all affected users and also logged out users who had used our single-sign-on functionality with certain other accounts. We are taking proactive steps to improve the security of our authentication systems in the coming months.