Security Incident

At Railway, we understand the importance of security and protecting your information, and we are writing to inform you of an incident involving our platform.

What Happened?

In the early morning hours of June 2nd, we identified a potential security vulnerability in our internal, user facing docker registry.

We immediately began to investigate and blocked new user signups.

We took measures to patch the vulnerability and terminate any unauthorized access. We have also engaged a cybersecurity firm to thoroughly investigate and address the incident. Our initial investigation this week indicates that an unauthorized third party accessed certain files of some of our users on our platform due to such vulnerability.

What Information Was Involved?

The vulnerability we discovered could have been used by a malicious user to request build payloads for other users, which, in some instances, contained build artifacts such as user secrets, source code, and production assets.

What We Are Doing

We are continuing to work with our cybersecurity firm to investigate and address what happened, but at this point we believe the vulnerability has been addressed and any unauthorized access terminated.

Additionally, we have internally rotated all production environment secrets, and validated the existing keys were not abused during our initial assessment

What You Can Do

  • For Railway Plugins, we've added a 1-click secret rotation. Documentation is available in this week's changelog.
  • For third-party secrets (Custom Variables), we recommend you invalidate them with your provider (e.g Stripe, Magic, etc). Upon request, we can also reach out and have these keys invalidated.

While we believe the vulnerability has been patched and are working to determine the precise segment of the user base that may have been affected, we are letting all Railway users know in the interest of transparency because we value your trust and support.

If we have confirmed or suspect that you are potentially affected by this vulnerability, you will have receive an email from us with recommended steps to take.

We regret that this incident has occured and are in the process of taking the steps we believe are necessary to ensure that the vulnerability we discovered is addressed and cannot be be used in the future.

For More Information

If you have any questions please don't hesitate to contact us at security@railway.app.