Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
Jesus Christ. Their frontend was sending a list of recipients to the backend. That's an intern developer level of fuck up, in their login system, no less.
If this got past them, it's a sign of deep problems.
Jesus Christ. Their frontend was sending a list of recipients to the backend. That's an intern developer level of fuck up, in their login system, no less.
If this got past them, it's a sign of deep problems.
Holy shit, that's the rookiest mistake.