Between 15:45 UTC on 29 October and 00:05 UTC on 30 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) experienced latencies, timeouts, and errors.

The AFD & CDN delivery services continue to be stable and are running as expected. 

Out of an abundance of caution, all service management operations (including creation, updates, deletions, and purges) to AFD via portal or APIs continue to remain temporarily suspended. We are working on a comprehensive plan to gradually reenable these in a phased approach, while ensuring the platform remains stable.

We will continue to share periodic updates as we make progress. Next Update will be by 01:00 UTC on 31 Oct 2025 or sooner.

The Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remains at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable. 

We will notify customers once the restriction is lifted, and we will be sending periodic communication on the progress. Next Update will be by 19:00 UTC on 31 Oct 2025 or sooner as event warrant.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable.  

We are working to provide an ETA on when we can lift the restriction and will continue sending periodic communication on the progress via Azure Service Health. The next update will be by 19:00 UTC on 01 November 2025 or sooner as events warrant.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable.  

Our current expectation is to lift the restriction on 05 November 2025, and we will continue sending periodic communication on the progress via Azure Service Health. The next update will be by 19:00 UTC on 01 November 2025 or sooner as events warrant.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable.  

Our current expectation remains to lift the restriction on 05 November 2025, and we will continue sending periodic communication on the progress via Azure Service Health. The next update will be by 19:00 UTC on 02 November 2025 or sooner as events warrant.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable. 

Our current expectation remains to lift the restriction on 05 November 2025, and we will continue sending periodic communication on the progress via Azure Service Health. The next update will be by 03:00 UTC on 03 November 2025 or sooner as events warrant.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable. 

Our current expectation remains to lift the restriction on 05 November 2025, and we will continue sending periodic communication on the progress via Azure Service Health. The next update will be by 03:00 UTC on 03 November 2025 or sooner as events warrant.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable.

Our current expectation remains to lift the restriction on 05 November 2025, and we will continue sending periodic communication on the progress via Azure Service Health. The next update will be by 19:00 UTC on 03 November 2025 or sooner as events warrant.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As part of completing our full investigation and safe checks, performing service management operations (create, update, delete, purge, etc.) were made temporarily unavailable. 

Restrictions on service management operations have been removed for this Azure subscription ID. Please allow approximately 30–40 minutes for changes to fully propagate to edge sites. We expect all restrictions across subscriptions, including other subscriptions under your tenant, to be lifted by 05 November 2025. Updates on progress will continue via Azure Service Health. The next update will be provided by 22:00 UTC on 04 November 2025, or sooner if circumstances change.

We acknowledge that previous communication may have contained information meant for another list of customers. We apologize for the inconvenience and request you to note the following.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable. 

The workflow to manage and rotate Bring Your Own Certificate (BYOC) certificates has been re-enabled. We will monitor the progress of working through the queue of necessary rotations. We will continue to provide regular updates on progress. Our current expectation remains to lift the restriction on 05 November 2025. The next update will be by 22:00 UTC on 04 November 2025 or sooner as events warrant.

In preparation for lifting the service management restrictions, an incorrect communication was sent indicating an early removal. Our current date for lifting all control plane restrictions remains 05 November 2025. The next update will be provided by 22:00 UTC on 04 November 2025, or sooner.

Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated at 00:05 UTC on 30 October 2025 and remain at normal operating levels. As we complete our full investigation and implement further safe checks, service management operations (create, update, delete, purge, etc.) are temporarily unavailable. 

We continue to hit our milestones toward the expectation to lift this restriction on 05 November 2025. The next update will be sent to confirm once this has happened, or sooner if events warrant.

Latest Update: As of 23:00 UTC on 5 November, 2025 restrictions on Azure Front Door (AFD) and Content Delivery Network (CDN) service management operations have been removed. You may now resume normal operations on the AFD service management plane. For enhanced safety and protection, we have extended the configuration propagation times up to 45 minutes. Additional platform enhancements which are underway are expected to optimize the propagation times further.

Previous Context: Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated by 00:05 UTC on 30 October 2025 and remain at normal operating levels. We previously notified you that, as part of completing our full investigation and safe checks, performing service management operations (create, update, delete, purge, etc.) were temporarily restricted. This notification is to confirm that those temporary restrictions no longer apply.

Next Steps: As mentioned in our Preliminary PIR we are completing an internal retrospective to understand the incident in more detail. Once this is completed, which is expected within approximately 7 days, we will publish our final Post Incident Review (PIR) - including a link to register for an Azure Incident Retrospective livestream, discussing the incident and our learnings.

Azure Front Door frequently asked questions (FAQ) | Microsoft Learn

 Latest Update: As of 23:00 UTC on 5 November, 2025 restrictions on Azure Front Door (AFD) and Content Delivery Network (CDN) service management operations have been removed. You may now resume normal operations on the AFD service management plane. For enhanced safety and protection, we have extended the configuration propagation times up to 45 minutes. Additional platform enhancements which are underway are expected to optimize the propagation times further.

Previous Context: Azure Front Door (AFD) and Content Delivery Network (CDN) delivery data planes were fully mitigated by 00:05 UTC on 30 October 2025 and remain at normal operating levels. We previously notified you that, as part of completing our full investigation and safe checks, performing service management operations (create, update, delete, purge, etc.) were temporarily restricted. This notification is to confirm that those temporary restrictions no longer apply.

Next Steps: As mentioned in our Preliminary PIR we are completing an internal retrospective to understand the incident in more detail. Once this is completed, which is expected within approximately 7 days, we will publish our final Post Incident Review (PIR) - including a link to register for an Azure Incident Retrospective livestream, discussing the incident and our learnings.

Azure Front Door frequently asked questions (FAQ) | Microsoft Learn

An emergency maintenance window is opened effective immediately to ensure continued stability and security of our service.  The service may be unavailable for the next two hours.

Our Maintenance services are complete. Services are working as intended.

If you have ever have an issue, you can reach out to our support team via our support portal.

In keeping with our commitment to security and transparency we wanted to inform you that our provider for SMS, Twilio, has alerted our security team to an incident that occurred. Below is the statement we received from Twilio which gives a detailed account of the incident and what has been done:

—--------------------------------------

Twilio has been notified by one of our backup carriers, iBasis, that IdentifyMobile inadvertently exposed certain SMS-related data sent by iBasis publicly on the internet that included personal data. We are writing to inform you that some of your personal data and non-personal data (such as data related to marketing campaigns) was accessed by a security research group while it was publicly exposed by IdentifyMobile.

Although this incident was outside Twilio’s control, we take it very seriously and are committed to helping you understand the full impact. 

What do you need to know? 

In order to deliver messages in specific regions, Twilio relies on numerous carriers to maximize deliverability to their final destinations. Twilio was notified that iBasis (a Twilio backup carrier) had used IdentifyMobile (iBasis's further backup carrier) who inadvertently enabled public access on an AWS S3 Bucket during development work. Information contained in this bucket was made public from May 10-15, 2024, and accessed between May 13-14, 2024. Based on a joint investigation between IdentifyMobile and Amazon AWS, we learned that a portion of this data was accessed by the Chaos Computing Club (CCC). CCC is a security research group that identifies security issues; CCC has confirmed that they are not holding any data downloaded from the AWS S3 Bucket. We do not have evidence that allows us to confirm that no other third party accessed the data. 

Twilio does not own this bucket, and none of our systems have been compromised in connection with this data exposure. This incident was the result of actions taken by IdentifyMobile and outside of Twilio’s control.

While we continue collaborating with these carriers to bring you the most accurate information regarding this exposure, the portion of data exposed by IdentifyMobile related to SMS sent between January 1, 2024 and May 15, 2024, and included: 

• Mobile number 

• SMS message content 

• SMS Sender ID 

• SMS Timestamp

What have we done so far?

• Twilio initiated our incident response process to rapidly investigate this matter.

• Twilio escalated this issue to the iBasis executive team; subsequently, we’ve done an analysis on the data logs that were compromised to provide you with as much information as possible.

• Out of an abundance of caution, we have ceased sending traffic to iBasis where possible. iBasis informed Twilio that it has stopped routing with IdentifyMobile.

• We will continue working with our 3rd party carriers to get you any additional details that may arise from this incident.

What do you need to do?

We recommend reviewing the SMS traffic you sent between January 1, 2024 and May 15, 2024, discussing the implications of an exposure with your internal team(s) and deciding if you need to engage with impacted individuals. If you need additional information regarding this incident, we are here to support you throughout this situation.

We deeply regret any inconvenience this may cause and appreciate your understanding and cooperation.

—--------------------------------------

What has StatusCast done?

Once StautsCast’s security team was alerted an audit was performed to try and determine the potential impact this had on our service. Based on Twilio’s report it is possible that some notifications sent through StatusCast’s service would have been sent using the iBasis carrier. Based on the report data would have included the recipient's phone number as well as the SMS message. SMS notifications in StatusCast are designed to be brief and to drive users to the status page. SMS messages do not include recipients name or other personal identifiable information(PII). 

As always in StatusCast you have the right to choose whether SMS notifications are sent or not. SMS options can be controlled in the Settings and Integration sections of the application if you wish to review your configurations. At this time there are no additional action items for StatusCast to take in regards to its application or infrastructure, however we will maintain close communication with Twilio and if any additional information is released we will pass it along through our own status page.

StautsCast has partnered with Twilio for years and they have maintained a strong commitment to security and transparency. We will take that as well as this incident into consideration as we continue to offer SMS notifications in the application. If you have any additional questions please reach out to us at support@statuscast.com