We’re actively relying on Cloudflare caching for our website pages to load faster. We have a mechanism for caching user data based on user identifiers which prevent Cloudflare to serve one user data to another.
For some reason (we’re exploring), the Settings on Cloudflare cache rules have changed and all of our website requests started to get the same and only one user portfolio page.
Again, that was only read-only to the portfolio, nobody had the ability to do any edit actions because they had no permission to do so.
Right after the incident was reported, we did put our website in maintenance mode, purged and disable all the Cloudflare caches. All user portfolio data is safe and we’re going to come up with the action items for preventing this kind of incident in the future.