Quote from: Real_Drugs on July 31, 2013, 10:22 amQuote from: Dread Pirate Roberts on July 31, 2013, 08:00 amhi folks, wow I am incredibly sorry about this. last week we were having login issues and we had to rewrite the entire system that handles logins and sessions to get the bugs out. We overlooked one thing that lead to this mistake. Basically it was checking weather a large random string of characters was unique. The odds were so low for what is called a collision that it was overlooked, but indeed a collision occurred in this case. The chances of it happening were about 1 in 10e^26. That's 10 with 26 zeros. Anyway, forensics showed it was the only incidence and we've added a uniqueness check that will prevent this from happening again. I was actually suspicious when we had a bug free release of the new system!Thankfully moopydog was honest and didn't do anything wrong, and the user that was compromised didn't seem to mind much.I do not understand, the OP said that he did not try and log in, he opened SR and it went straight to another users account (no log in screen). Can you please elaborate.If the site doesn't recognize the credentials you provide (the "cookie" your browser carries around and sends the site), it takes you to the login page regardless of where you were trying to go (basically). You also get a new value every time you visit the site, so basically, what's being claimed is that the new value matched the value of someone else who was already logged in -- and hence the site treated the OP as the already logged in party, and redirected to the homepage (instead of the login page). This is virtually impossible if the numbers provided are correct. The numbers will not be correct and it will be much more likely if the pseudorandom number generator is not random enough.... see what I did there? :-XAlso, the Tor browser clears all cookies upon exit, and even though it *is* a version of Firefox, just having another Firefox browser open should not change that. It's designed to be isolated for precisely those sorts of privacy and security reasons. You can, if you choose, override that behavior -- so it isn't impossible that it may have happened to somebody, but it's very unlikely. It's also possible that it was re-started before the previous instance of the program had properly finished closing, and when the new instance started it found the old state data from the previous instance and picked it up assuming it had crashed improperly or something. Firefox itself is designed for convenience and the average user, so it does stuff like that. Whether they disable it or not for the Tor version I can't say. It's just an explanation/speculation.