Recently we've been made aware of a vulnerability which would have allowed an attacker to gain access to various Sentry metadata. This information includes various account details, as well as credentials for integrations and Sentry's web API (both keys and auth tokens). We have no reason to believe this information was compromised, but are addressing that possibility as aggressively as we can.
You should do the following as soon as possible:
Any existing API keys or authentication tokens used with our web API (such as to upload release artifacts) should be rotated. Create a new key or token, update your systems, and then remove the previously used keys.
We will be forcefully removing any keys affected by this on June 15th at 1pm PST.
Change the password on your Sentry account. Our passwords are strongly hashed (bcrypt), but that doesn't guarantee your account is safe.
If you're using JIRA, change the password to the account used to link to Sentry.
Any other integrations you're using (issue trackers and notification services), you'll want to review and consider rotating credentials where necessary. Additionally you will want to consider rotating some other tokens:
URLs such as those used in the Slack integration may not provide an attacker the ability to access your data, but they can still be abused by sending noise or misleading information.
The DSNs allows an SDK to send Sentry data. An attacker could send false data or noise, but cannot use these keys to access any data. To do this visit your project's Settings tab and click "Client Keys (DSN)" in the sidebar.
On our end we've taken care of rotating access tokens and related concepts for Single Sign-On, though this means you'll need to re-validate your identity (by logging in).
Security is of the utmost importance at Sentry, and it's a sad day for us to have to send this email. We've let you down, and we're going to be actively working to ensure a situation like this cannot happen again. A more thorough report on the incident will be made available when we've finished our investigation.
Note: You're receiving this ahead of any public announcement, and we'd appreciate if you didn't make this public yet as we're still in the process of investigating the incident further. We apologize for the light details in this email, but feel it's important to give you the most important information as quickly as possible.
Since this gist has been linked around a few times, this is the post mortem with details: http://blog.getsentry.com/2016/06/14/security-incident-june-12-2016.html