Update: On July 31, Splash released an update to prevent additional pathways to access vanity URL domains already in use. 

Splash has resolved an issue that allowed users to enter vanity URLs in their Splash event pages that targeted domains they did not own.

What happened?

A small subset of unused vanity URLs were directed to a Splash page by a user who did not represent the domain of those URLs. This incident began on July 3; Splash was made aware of it on July 6; an initial patch to resolve the vulnerability was deployed on July 7 and a final patch was deployed July 8. 

NOTE: The scope of this issue is limited to a small subset of vanity URLs. At no point did this incident impact or expose data or credentials. 

What actions should I take?

There is no action required at this time. All accounts with vanity URLs impacted have been informed. 

Where can I get more information?

If you have further questions, you can contact our support team directly at support@splashthat.com.