On May 17, 2018, a subset of 2.500 MyGet users accidentally received an automated e-mail informing their account was deleted due to inactivity (while no user data was in fact, removed). We want to apologize for this accidental e-mail, and detail our investigation into why this happened.
Since a couple of weeks, we are tracking inactive users on our free plan, for two reasons. First, of course, it would be nice if those users become active again, and maybe even upgrade to a paid subscription. Second, as part of our efforts in ensuring user privacy, we want to ensure we don’t keep user data around for users who are no longer using our service.
There are two processes involved in this, let’s call them
Flag job checks existing users and their subscription, and informs inactive users how they can keep their account active (or let it expire after a further 30 days of inactivity). When looking at the accidental e-mails, they all looked like they were sent by the
Flag job, which is also what we communicated with affected users on May 17, 2018.
Further investigation learns the
RemoveIncomplete was responsible for these accidental e-mails.
Let’s look at something else first. When clicking the Microsoft Account or GitHub identity provider on the MyGet login screen, we create a temporary profile without a username. The first step after the first login is for our user to pick their desired username. If they don’t, the user profile is deemed “incomplete” as there is no username attached to it. It’s this type of profiles the
RemoveIncomplete job removes.
Under the hood, this job uses the same code we use to remove a user profile when requested by the user. As a confirmation, we send the user an e-mail when removal is finished. It’s this type of e-mail that was sent by the
Users all of a sudden received e-mail stating their account was deleted and panicked. Adding to the confusion, no username was mentioned in the e-mail.
RemoveIncomplete job successfully removed incomplete user profiles. It should never send out e-mails, but a recent code change had disabled that check. Which translated into many users getting an “account was removed” e-mail without the username being included (as there is no username in an incomplete user profile).
So why did some existing users receive an e-mail if it’s only incomplete user profiles being removed? The answer to that is fairly simple. All of the users that received the accidental e-mail, received it because they had an incomplete profile next to their actual profile:
- User profile
email:email@example.com - deleted and e-mailed
- User profile
email:firstname.lastname@example.org - unaffected and still active
In this case, user
id:12345 was removed (because there was no username attached to it), and accidentally sent an e-mail. User
id:54321 is still active and unaffected.
We again want to apologize for the confusion this caused, and have updated our codebase to not send out e-mails in this case, and added relevant unit tests to prevent this from happening again.