React to security breach

[Aleksandergreg]

User Story

As a responsible development team,
I want to notify affected users of a security breach and force them to reset their passwords,
so that we can mitigate the risk of compromised accounts and restore trust in the application.

Preliminary

• The SQLITE needs to be updated to FTS5 must be done before starting this user story Sqlite FTS5 #66

---

Acceptance Criteria

• Affected users are informed of the breach.
• Affected users are required to reset their password before they can log in or use the system.
• Users who have not reset their password are blocked from accessing protected areas.
• The reset flow is secure, including token expiration and input validation.
• The team has implemented logging or alerts for monitoring password reset activity.

---

Tasks

• Verify the breach by confirming the hacker’s claims and identifying affected users.
• Create a secure password reset flow (if not already implemented).
• Mark affected users in the database (e.g., with a forcePasswordReset flag).
• Modify login logic to block users flagged for password reset until they complete the flow.
• Send notifications to affected users (via email or in-app messaging).
• Ensure reset tokens expire and cannot be reused.
• Update documentation and conduct a short internal post-mortem on the breach response.

---

• Communicate transparently with users while avoiding technical blame-shifting.
• Evaluate how the breach occurred and plan follow-up security improvements.
• Add logging to track how many affected users have changed their passwords.