When Consumer Reports contacted us about the issues they found, we fixed them right away. No users were ever impacted.
There were three main issues:
- Partner feature – Users can invite their partners to view period cycles. Originally, there was no verification if an email was entered incorrectly or accidentally. We fixed this immediately so users can confirm or correct mistakes before inviting, so that only the right partner can access their health data.
- Public forum data – Some personal details (like a user’s email and full birth date) could appear in the public forum. We removed those details right away and replaced birth date with an age range. Users still control what info they share in their profiles.
- Password change bug – A password could be changed without entering the old password, through an API call. We quickly disabled the feature, then released a patch. Now, changing a password requires an access token, the old password, and the new password.
In all cases, we acted quickly, fixed the issues, and no users were affected.