Registered delivery issue with notifications

Update timeline

1. investigating Aug 06, 2025, 07:18 AM UTC

   We are currently investigating an issue where some booking notifications are not being received by users. Please note that this issue does not appear to be affecting all accounts. Our developers are actively investigating the root cause and working to resolve it. We apologize for any inconvenience this may cause and appreciate your patience. We will share further updates as soon as we have more information.

2. investigating Aug 06, 2025, 08:43 AM UTC

   We are continuing to investigate this issue.

3. identified Aug 06, 2025, 08:44 AM UTC

   We identified the root cause of the issue and trying to re-establish notifications as soon as possible.

4. identified Aug 06, 2025, 11:54 AM UTC

   We have been experiencing an incident with our external email distribution service. As a result some notifications were not sent. It affects all notifications to merchants, resources or guests. This has not prevented new bookings meanwhile. We have identified the cause as phishing emails and therefore the email service has been temporarily stopped for security measures. We expect the email service to be put back online within working hours today, with measures preventing any further phishing emails. Be aware that the "resend" option in the booking details is as well not functional at the moment. In the meantime, if you have customers reaching out to you, you can go to the booking and download the ticket and send it to them in a separate email. We'd like to emphasize that our teams are here to help and available for you to reach out if you have any further questions or need help with the above. Your business continuity is our first priority and we are here to support you.

5. monitoring Aug 06, 2025, 05:33 PM UTC

   All notifications are being sent again. The temporary disruption was caused by a phishing email detected by our external email distribution service. We will continue to monitor the situation closely. We apologize for any inconvenience this may have caused.

6. resolved Aug 07, 2025, 09:29 AM UTC

   The incident has been resolved and booking notifications are being delivered as expected. As mentioned, the root cause seemed to be related to a phishing email attack detected by our external email distribution service. A more detailed explanation of the incident will be shared in the coming days. Our client services teams remain at your disposal for any continued support you may need. We sincerely apologize once again for any inconvenience caused.

7. postmortem Aug 12, 2025, 01:53 PM UTC

   **Incident Date:** August 5, 2025 6pm CEST – August 6, 2025, 7pm CEST **Incident Duration:** Approximately 25 hours **Affected Services:** Email notifications ### **Incident Description** On August 5, at around 5:58 PM CEST, our email delivery service provider suspended our account due to a sudden and significant increase in automated emails being sent from our platform. This action was a precautionary measure on their part to prevent potential misuse. As a result, all email notifications, including booking confirmations for guests, merchants, resources as well as pre/post trip notifications, were completely halted. Full service was restored by 7:04 PM CEST on August 6, with all pending emails successfully delivered by August 8th. ### **Impact** The incident led to a complete halt of all email notifications. During this 25-hour period, customers and merchants did not receive booking confirmations or other important email updates from our system. We have since verified that all emails that were not delivered during the outage have been sent. ### **Resolution** Our team immediately began investigating the cause of the service interruption. We discovered that a fraudulent account had been created on our platform and was being used to send a large volume of unsolicited emails, which triggered the suspension. To resolve the issue and regain access to our email service, we took the following steps: * **Identified and disabled the fraudulent account** to stop the malicious activity. * **Disabled our public signup page** as an immediate and temporary measure to prevent any similar accounts from being created. * **Coordinated with our email service provider** to explain the situation and demonstrate that the threat had been contained. * **Implemented security enhancements** including rotating our system's API keys and increasing account security. * **Re-queued backlogged emails** in our service provider. * **Manually resent** all the guest notification emails that could not be processed by our email provider. ### **Preventive Measures and Recommendations** We are committed to strengthening our security to prevent similar incidents in the future. To that end, we have outlined the following actions: * **Implement enhanced trial account vetting:** We will introduce additional checks to verify new accounts before they are granted access to email-related functionality. * **Set up email volume monitoring:** We are establishing automated alerts that will notify our team of any unusual email volume from a single account, allowing us to proactively identify and address potential misuse. * **Reinforce endpoint security:** We will implement rate-limiting on key endpoints to prevent them from being abused by automated systems. Our team is dedicated to providing a secure and reliable platform for our users. We sincerely apologize for the inconvenience this incident caused and are working diligently to implement these new measures.