Code Room
On-callMediumoc-g374
Subject Credential leakLevel Mid–Senior~35 minCommon in Reliability & on-call interviewsIndustries Software development, Technology

Question

A partner reports that some of your **password-reset / magic-link tokens** are appearing in *their* server logs. Investigation: your reset links embed the token in the URL **query string** (`/reset?token=...`), and the reset page loads third-party assets (analytics, fonts, a chat widget). Browsers send the full URL — including the token — in the `Referer` header to those third parties, who log it. The tokens are single-use and expire in 60 minutes, but they're leaking to multiple external parties on every reset. No account has been provably taken over yet. How do you triage the exposure, contain it, and fix the leak?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.