From 01:00 AM to 07:50 PM EDT on Tuesday, March 17, 2020, unexpected enrollment emails were sent after Active Directory, Azure Active Directory, and OpenLDAP syncs ran, even though the syncs were not configured to send enrollment emails to unenrolled users. This issue only affected Directory Sync on DUO33, DUO50, DUO56, DUO58, DUO62, and DUO63.
Duo’s Engineering Team has identified the root cause of this incident, and we are committed to improving our development and testing processes to prevent the possibility of similar issues moving forward.
The root cause of this incident was determined to be a bug introduced in Duo’s mid-March release, which began deploying to customers on March 16. The bug was escalated to Duo’s Engineering Team, and the release was halted on March 17.
A fix was released to all affected deployments by 7:42 p.m. EDT and the regular release process was resumed.
The enrollment links contained within these emails are now deactivated. Unenrolled users who received these emails in error will no longer be able to use them to enroll in Duo. If unenrolled users click the link, they will see the message “This enrollment code has expired. Contact your administrator to get a new enrollment code.”
We will follow up with affected customers with more information tomorrow.