Authentication identifier issue — report and fix

Thank you for using BotShade.

Shortly after the beta launch, on 1 May 2026, we identified an issue in our authentication system related to how internal identifiers were handled. The issue has already been fixed, and we are publishing this report in the interest of transparency.

Table of contents:

• Summary of the issue
• Timeline
• Impact
• Root cause
• Remediation
• Thanks to the reporter
• Going forward

Summary of the issue

In the OAuth login flow, under specific conditions, a user’s session could be associated with information from an unintended account.

Timeline

Impact

The investigation confirmed:

• Number of users actually affected: 0
• Cases where another user’s personal information was shown to a third party: none
• The information seen by the one customer who hit this state before the fix was only that of an internal development-verification account belonging to the operations team

No mixing of data between customers occurred.

Root cause

In the authentication flow, there was a design flaw where the namespace of internal identifiers could collide between different kinds of accounts. Under specific conditions this could cause the system to return the wrong account information.

Remediation

• Re-designed the system so identifier namespaces are completely separated
• Added explicit verification of account type during the authentication flow
• Audited the wider codebase for similar issues and applied corresponding fixes

Thanks to the reporter

We sincerely thank the customer who discovered this issue and reported it to us in good faith.

Receiving feedback like this during the beta is an irreplaceable asset for BotShade.

Going forward

If you have any concerns or questions, please reach out via the support server or the contact form. We will continue to report on security-relevant matters transparently regardless of the size of the impact.

Thank you for continuing to support BotShade.