Fluid Attacks experienced a notice incident on July 23, 2025 affecting Platform, lasting 3h 13m. The incident has been resolved; the full update timeline is below.
Affected components
Update timeline
- identified Jul 23, 2025, 11:02 PM UTC
Users trying to access the platform through BitBucket are unable to log in due to a redirect URI issue.
- identified Jul 24, 2025, 01:12 PM UTC
We are continuing to work on a fix for this issue.
- resolved Jul 24, 2025, 01:39 PM UTC
The incident has been resolved, and access via BitBucket authentication is now working properly.
- postmortem Jul 24, 2025, 11:18 PM UTC
**Impact** At least one user experienced problems accessing the platform. The issue started on UTC-5 25-07-23 15:14 and was reactively discovered 1.2 hours \(TTD\) later by a client who reported through our help desk [\[1\]](https://help.fluidattacks.com/agent/fluid4ttacks/fluid-attacks/tickets/details/944043000042602825) that, when trying to log in, an `Invalid redirect_uri` error was displayed, preventing access. No other modules or users not using Bitbucket for login were affected. The problem was resolved in 2.1 hours \(TTF\), resulting in a total window of exposure of 3.3 hours \(WOE\) [\[2\]](https://gitlab.com/fluidattacks/universe/-/issues/17096). **Cause** The problem was caused by a change in the redirect URL used for login. Specifically, an alias was added to the Bitbucket callback configuration in the production environment, which affected users logging in through Bitbucket. **Solution** The tokens for Bitbucket authentication were rotated again, both in the development and production environments, to restore proper access [\[3\]](https://gitlab.com/fluidattacks/universe/-/merge_requests/81599). **Conclusion** The platform is now working as expected for users logging in via Bitbucket. This incident highlights the importance of validating configuration changes before deploying to production, especially those related to authentication. **ROTATION\_FAILURE < INCOMPLETE\_PERSPECTIVE**