An automated webhook from a billing staging site was triggered on May 19th at 8:43am UTC. This billing staging site was created to test functionality for a small subset of customer accounts. As part of configuring this staging site, a webhook was unintentionally set up to reach a production site.
The affected customer accounts were set up as test accounts on the staging site. Test accounts on the staging site were automatically set to deactivate 6 months after creation, which was unknown at that time to Spreedly. Since these accounts were set up on Nov 18th, 2020, they were automatically deactivated on May 19th, 2021, which then prompted the configured webhook to fire and deactivate these accounts in Spreedly’s production systems. Once Spreedly on-call teams were alerted, the root cause was determined and these accounts were reactivated and the webhook was disabled. The Infrastructure team also made changes to prevent any unwarranted communication between Spreedly Production systems and the billing staging site, which would prevent any type of change in the staging system to affect production.