Kustomer incident

[Facebook/Instagram] Users Unable to View Data After Login

Minor Resolved View vendor source →

Kustomer experienced a minor incident on September 12, 2025 affecting Channel - Facebook and Channel - Instagram, lasting 1h 50m. The incident has been resolved; the full update timeline is below.

Started
Sep 12, 2025, 09:50 PM UTC
Resolved
Sep 12, 2025, 11:41 PM UTC
Duration
1h 50m
Detected by Pingoru
Sep 12, 2025, 09:50 PM UTC

Affected components

Channel - FacebookChannel - Instagram

Update timeline

  1. investigating Sep 12, 2025, 09:50 PM UTC

    Kustomer is aware of an event affecting Facebook and Instagram Authentication that may cause Pages to fail to display in their selection drop downs in the FB/IG admin UIs while authenticated. Our team is currently working to identify the cause of this issue in an effort to implement a resolution. Please expect additional updates within the next 30 minutes, and reach out to Kustomer support at [email protected] or via chat if you have additional questions or concerns.

  2. identified Sep 12, 2025, 10:20 PM UTC

    Kustomer is aware of an event affecting Facebook and Instagram Authentication that may cause Pages to fail to display in their selection drop downs in the FB/IG admin UIs while authenticated. Our team is still continuing to work on implementing a resolution. Please expect additional updates within the next 30 minutes, and reach out to Kustomer support at [email protected] or via chat if you have additional questions or concerns.

  3. identified Sep 12, 2025, 11:07 PM UTC

    Kustomer is aware of an event affecting Facebook and Instagram Authentication that may cause Pages to fail to display in their selection drop downs in the FB/IG admin UIs while authenticated. Our team is actively working toward a fix. We’ll provide the next update within 30 minutes. If you have any questions in the meantime, please contact Kustomer Support at [email protected] or through chat.

  4. resolved Sep 12, 2025, 11:41 PM UTC

    Kustomer has resolved an event affecting Facebook and Instagram Authentication that caused Pages to fail to display in selection drop-downs within the FB/IG admin UIs while authenticated. To resolve this issue, our team has released an update by adding missing reducers for Facebook. After careful monitoring, our team has determined that all affected areas are now fully restored. Please reach out to Kustomer support at [email protected] or via chat if you have additional questions or concerns.

  5. postmortem Sep 29, 2025, 06:05 PM UTC

    # **Summary** Between **September 10, 2025, and September 15, 2025**, customers were unable to log in or reauthenticate via **Facebook, Instagram, and WhatsApp** social channels. Other login methods \(such as email and password\) were unaffected. The root cause was a configuration update to our web security headers that inadvertently blocked required authentication flows. This prevented the login page from loading inside the hidden browser frames these providers use during OAuth. All services were restored by September 15, 2025, following a configuration correction. # **Root Cause** On **September 10, 2025**, a security update was deployed that added restrictive browser directives \(X-Frame-Options: DENY and frame-ancestors 'none'\) across our login endpoints. While these headers improved protection against clickjacking, they also prevented OAuth flows from loading our login page within an , which is required for Facebook, Instagram, and WhatsApp authentication. As a result, customers who needed to reauthenticate tokens for these channels were blocked until the issue was identified and corrected. # **Timeline** * **Sep 10, 2025, 10:51 AM \(EST\):** Security header update deployed. * **Sep 12, 2025, 10:09 AM \(EST\):** First customer reports issues adding Facebook/Instagram pages. * **Sep 12, 2025, 3:04 PM \(EST\):** Incident escalated to Priority 1 as multiple customers were impacted. * **Sep 13–14, 2025:** Teams investigated potential fixes and implemented manual customer workarounds. * **Sep 15, 2025, 2:48 PM \(EST\):** Configuration update deployed to allow necessary domains while removing the conflicting X-Frame-Options. Authentication fully restored. # **Lessons/Improvements** * **Monitoring & Escalation:** The issue could have been escalated more quickly; clearer guidance is being put in place to ensure similar incidents are prioritized earlier. * **Testing Gaps:** Our local development and staging environments did not apply the same header rules as production, which made reproducing the issue difficult. We are updating our environments to align with production behavior. * **Documentation:** Notes on header restrictions were not well-documented across teams. We are improving visibility of known constraints and best practices.