Edison Mail Resolved Software Security Bug Which Allowed Two Users to Access Each Other’s Accounts — 6,480 Potentially Impacted
No account credentials were compromised; issue was fully resolved within 30 hours of first report.
- A recent server-side update to a fraction of our iOS users introduced a security bug that allowed unauthorized email account access between two users. User A and User B could access each other’s accounts connected to Edison Mail for iOS, no other unauthorized access occurred.
- Up to 6,480 Edison Mail iOS users were potentially impacted.
- Android and Mac OS users were not impacted.
- No passwords or credentials were exposed or compromised.
- Edison Mail has since resolved the issue.
- As an additional precaution, Edison has already notified impacted users and advised them to change their email account password. If you have not received an email, you were not impacted.
On Friday, May 15th, 2020, we made a server-side update to a feature that allows iOS users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. This temporary issue was a security bug and not related to any external security issues.
Data from these individual’s impacted email accounts may have been exposed to one other user. Only one user could access another user’s accounts connected to Edison Mail for iOS. No passwords were compromised. On Saturday morning a patch was deployed to remove and prevent any further exposure. As a safety measure, the patch prevented all potentially impacted users from being able to access any mail from the Edison app.
A new version of the application was made available early Sunday morning in the App Store that restores full functionality for these 6,480 users. Other users were not impacted and no action is required.
We have notified all individual users who may have been impacted by this issue via email, and as an additional safety precaution, suggested that impacted users also change their email account password. If you did not receive an email on this issue then your account was not impacted.
We thank the users who reached out quickly to notify us of this issue so we could address it as fast as possible. We understand that it is our responsibility to ensure this type of malfunction does not happen and apologize to those impacted users. We are putting in place additional functionality and processes to ensure that this never happens again.