General Updates
Starting on the 15th of September 2025, Fastly will strengthen how password expiration is enforced for organizations with PCI password requirements enabled. Users
with expired passwords
will be prompted to set a new password at their next login.
What’s Changing?
This change in our system's behavior ensures that all customers who have enabled PCI (Payment Card Industry) password requirements will experience consistent and robust enforcement of password expiration policies. This update is crucial for maintaining the highest security standards and compliance with industry regulations.
By aligning user login behavior with established security best practices and compliance standards, we are taking a proactive step to safeguard sensitive data and enhance overall system integrity. This consistency in password expiration helps to mitigate risks associated with stagnant or compromised credentials, thereby protecting both our customers and their valuable information
What’s next? What do I have to do?
Users with expired passwords will need to perform a password reset when logging in.
Contact Information
Customers with any questions or concerns may engage with our Support team by emailing support@fastly.com .Fastly was impacted by the recent security incident involving Salesloft's Drift application. We have investigated and notified all Fastly customers affected. This incident was isolated to our Salesforce instance and did not impact any Fastly services, infrastructure, or products. This post includes a summary of our response and the customer outreach we’ve performed.
What Happened
Between August 13 and August 18, 2025, a threat actor (tracked as UNC6395 by Google Mandiant) exploited stolen OAuth tokens tied to the Drift integration to gain unauthorized access to Salesforce instances across many companies, including Fastly. The incident was contained on August 20, 2025 when Salesloft and Salesforce disabled the integration. We immediately began our own investigation, confirming that the malicious activity was isolated to our Salesforce instance and the data accessed was limited to case subjects, descriptions, and contact details.
What We Did Immediately
After confirming containment, our security team took the following actions:
Reviewed Salesforce audit logs for anomalous activity.
Analyzed and removed other active Drift integrations out of an abundance of caution, confirming only the Salesforce integration was impacted.
Reset OAUTH sessions by re-authenticating the integration account.
Coordinated with Salesforce to verify containment and extract details not contained in audit logs.
Analyzed query activities by the threat actor to identify the compromised data.
What You Can Do
We recommend customers rotate any credentials previously shared with Fastly in a support case. Additionally, to protect against potential follow-up attacks, please be cautious of unsolicited emails, calls, or requests for sensitive information. Remember, Fastly will never ask for your passwords or credentials.
Customer Notifications
We have distributed Fastly Service Advisories to impacted parties as of September 4. Fastly customers with superuser access on impacted accounts should have received an email notification of a new message in their Fastly control panel Message portal or a direct email from support@fastly.com. All other users on the impacted accounts will have received a Fastly Service Advisory to the Message portal within their control panel, and can view it upon their next log-in.
Customers who have not received a Service Advisory were not identified in our investigation as being impacted. If you have questions, please email support@fastly.com.
Due to the recent implementation of a new billing system, you may experience a delay in receiving your invoice for August 2025. We are committed to prompt and accurate billing and apologize for any inconvenience this may cause.
What’s next? What do I have to do?
Fastly's support team will contact affected customers with more details during North America business hours on Thursday, 4th of September 2025.
On the 5th of September, if you have not yet received your invoice and have not been contacted by us through the notifications center in the Fastly User Interface (UI), please email us at billing@fastly.com. We will work with you to resolve any issues.
For other questions or concerns, please contact our Support team at https://support.fastly.com or reach out to your designated account team members.
To offer feedback on our status page, click "Give Feedback"
On the 26th of August 2025, we released an update to the VCL Editor in the Fastly Control Panel. This release unified Snippets, Custom VCL, and Complete VCL into a single, modernized view.
What has Changed
This update introduced several improvements:
Modernized Code Editor: Enjoy a smoother coding experience with syntax highlighting, error checking, and code folding.
Full-Screen Mode: Expand the editor to easily read, edit, and review complex VCL.
Unified VCL View: Manage VCL Snippets, Custom VCL, and Complete VCL in one place to simplify your workflow.
Editable Dynamic Snippets: Add and edit Dynamic Snippets directly in the UI.
Boilerplate Insertion: Insert boilerplate code directly from the Custom VCL view.
Auto-Generated Code: Reduce manual effort by automatically generating standard VCL functions and variables.
To learn more about these changes, please see our documentation: About VCL snippets and Using VCL snippets.
What’s next? What do I have to do?
No action is required.
Contact Information
If you have any questions, please contact our Support team at https://support.fastly.com or reach out to your account team.As part of Fastly's ongoing global network expansion, we are announcing the addition of our new data centers in Madurai (IXM) and Delhi (QAG).
These facilities will initially launch as a limited availability deployment on the 19th of August, 2025, meaning not all customer traffic will be routed through this new location during this initial phase.
Our estimated duration is 4 hours, starting at 18:00 UTC on Aug-19th.
When this change is applied, customers may observe additional origin traffic as new cache nodes retrieve content from origin. Please verify that your origin access lists allow the full range of Fastly IP addresses [Public IP List | Fastly Documentation].
Customers with any questions or concerns may engage with our Support team through [Fastly Support] or by contacting your designated account management team members.
The scheduled maintenance has been completed.
To offer feedback on our status page, click "Give Feedback"
On the 13th of May 2025, Fastly received a pre-release report detailing a distributed denial of service (DDoS) vulnerability called MadeYouReset (CVE-2025-8671). Fastly implemented a fix for this vulnerability in release 25.17 of Fastly’s internal fork of H2O. The fix was deployed and fully implemented across Fastly on the 2nd of June 2025.
Vulnerability Details
The MadeYouReset vulnerability (CVE-2025-8671) was publicly disclosed on the 13th of August, 2025. This vulnerability exploits the same HTTP/2 protocol implementation flaw that was used in Rapid Reset (CVE-2023-44487). The MadeYouReset vulnerability existed in the upstream H2O repository and also in Fastly’s forked version of H2O. In addition to ensuring our forked version of H2O was patched, Fastly Engineering coordinated with the original vulnerability researcher to proactively patch the upstream repository and resolved the core issue. This ensured the fix is available across all environments that rely on the open source implementation of H2O.
For more information about this vulnerability and its upstream fix in H2O, please see:
What’s next? What do I have to do?
No customer action is required. The fix has been applied across Fastly.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.
On the 18th of July, 2025, Fastly was made aware of a new HTTP/1.1 desync attack vector. Our security response engineers immediately initiated a thorough internal investigation, which determined that the Fastly platform is
not vulnerable
to this attack vector.
On the 21st of July, to validate our findings, we collaborated with the third-party researcher who discovered the attack vector. In this process, we confirmed that no Fastly-hosted endpoints were flagged as vulnerable during their research. The researcher noted that "Fastly seems to be relatively robust against desync attacks."
For additional due diligence, our Engineering teams also reviewed a preview of the full whitepaper on 28th of July, which further confirmed our conclusions.
You can read more about their research here: [ The Desync Endgame Begins by James Kettle from PortSwigger Research ]
Due to the recent implementation of a new billing system, you may experience a delay in receiving your invoice for July 2025. We are committed to prompt and accurate billing and apologize for any inconvenience this may cause.
What’s next? What do I have to do?
Fastly's support team will contact affected customers with more details during North America business hours on Monday, the 4th of August.
On the 5th of August, if you have not yet received your invoice and have not been contacted by us through the notifications center in the Fastly User Interface (UI), please email us at billing@fastly.com. We will work with you to resolve any issues.
For other questions or concerns, please contact our Support team at https://support.fastly.com or reach out to your designated account team members.
To offer feedback on our status page, click "Give Feedback"
Status Post, Created Date/Time: 0001-01-01 00:00:00 UTC
Note: Our Customer Escalation Management team will update the start date and time of the initial "investigating" status post upon the resolution of this incident. This update is meant to provide our customers and their end users with a potential impact window. The date and time mentioned in the message above indicates when the status post was requested by our Acute Incident Response team.
On the 9th of July 2025, Fastly released an update to introduce Automated User Lifecycle Management. This update included provisioning, deprovisioning, and real-time updates via System for Cross-domain Identity Management (SCIM) which are now available via the Fastly Control Panel for all Fastly services for customers using Okta.
What’s Changing?
This update will enable:
- Reduction in Human Errors: Reduction in overhead associated with manually managing users within the applications.
- Automated User Management: SCIM integration improves security by ensuring that user management is restricted to and inherited from the Identity Provider (IdP), reducing the risk of manual errors.
- Comprehensive Audit Logs: Detailed logging of all SCIM-related activities supports compliance requirements for user activity monitoring and reporting.
- Reduced Manual Intervention: Automating user provisioning and deprovisioning minimizes the risk of human error in account management
- Improved Security Posture: Improve security posture for Fastly and you, by ensuring all user management is restricted/inherited from an IdP.
- SCIM 2.0 Compatibility: Adherence to SCIM 2.0 specifications ensures interoperability and compliance with industry standards for identity management.
To learn more about why we have made this change please read our Automating user management documentation.
What’s next? What do I have to do?
Nothing. All actions taken during this planned release belong to Fastly.
Contact Information
Customers with any questions or concerns may engage with our Security team through security@fastly.com or by contacting our Support team at https://support.fastly.com.
From Tuesday, April 29th through Monday, May 5th, 2025, Fastly shared a status post about a series of updates performed to enhance the billing platform within the Fastly Control Panel.
As part of our continued commitment to ensure the accuracy of invoices billed for the month of May 2025, our billing team has extended our period of manual review and validation until Friday, June 6th 2025. As a result, some customers have and may continue to experience a delay when receiving their invoices.
What’s next? What do I have to do?
Please continue to reach out to billing@fastly.com if you receive your invoice and identify a discrepancy. We will work with you to resolve the issue.
Customers with any questions or concerns may engage with our Support team through https://support.fastly.com or by contacting your designated account management team members.