We are currently investigating an issue impacting the Security Service. A serverless function, ad-events-processor-fn, was identified as publicly accessible and potentially capable of performing privileged actions without authentication. This poses a risk of unauthorized access or data modification.
The incident was detected on January 26, 2026, at 18:47 UTC and has been escalated to critical.
Our team is actively working on containment measures, including restricting public access to the function and reviewing its permissions. We will provide further updates as more information becomes available.
We apologize for any inconvenience this may cause.