We’re letting you know of an incident where our Mac app could potentially send customer data as part of Sketch crash logs.
View this email in your browser
Security incident: Login info found in internal crash logs

On 9 May 2025, we became aware of a vulnerability where, in rare cases, a user’s Sketch password could end up in our crash reporting tool.

 

Because we delete crash reports after three months, we cannot say how many users this affected, but we can share that within the last three months this has happened to 81 users.

 

Before we explain how this happened, here’s what we’ve done so far as a result of our discovery:

  • We’re emailing all potentially affected customers with the same information you see here
  • We’ve deleted all crash reports on our BugSnag account (we were already automatically deleting data more than three months old)
  • Server-side, we’ve already stopped accepting crash reports from any affected version of Sketch (that’s version 96 to 101.8)
  • We’ve issued a Mac app update (v101.9) which fixes the bug that could cause passwords to be included in crash logs

How did this happen?

 

Like most software companies, when our Mac app crashes, we want to know what happened so we can fix it. To do this, we keep a rolling local log of the last 100 “actions” you take in Sketch. Then, if there’s a crash, we either send the crash log, plus the list of actions, to BugSnag (our error reporting tool) — or we clear the log.

 

From v96 of Sketch onwards, a bug in the Mac App caused that list of actions to include text users entered into text fields, including secure text fields. This meant that, in the case that Sketch crashed soon after you had entered your Sketch account email or password (or both), this information could be sent as part of the crash report.

 

Importantly, the information in these crash reports was only ever available to a limited number of Sketch employees with access to our BugSnag account and not shared outside of our company. It’s also important to know that the actions we log are only ones you take within the Sketch Mac app. We don’t have a way to log actions you take elsewhere, nor do we want to.

Questions and answers

 

Was my password or any other data leaked?

 

No. Crash reports containing password information were sent only from the Sketch Mac app to our BugSnag account. No-one outside of a limited number of Sketch employees has access to our BugSnag account.

 

Was this crash log data sent anywhere else?

 

No. However, your Sketch account password may still be present on the rolling log of the last 100 actions you took in Sketch, stored locally on your Mac. This log is wiped with every launch of Sketch, but if you use an affected version, this data may be logged again. For this reason, we recommend updating Sketch to the v101.9 bug fix release which stops this from happening.

 

Do I need to take any action?

 

While we’ve already ensured that no new crash reports are accepted that could even theoretically contain sensitive data, we recommend you:

  1. Launch/relaunch Sketch to ensure the log of actions is wiped locally

  2. Update to the latest Sketch (v101.9 or newer) to ensure this information is never logged again.

If you’re having any issues with updating to v101.9, please reach out to our customer support team (mail@sketch.com) who will help resolve this.

 

Although the risk associated with this is extremely low, out of an abundance of caution, we’d advise you reset your Sketch account password. If you happened to be reusing that password elsewhere, you should reset it elsewhere as well.

 

Are you continuing to store user-entered text for crash reporting purposes?

 

Absolutely not. With the v101.9 bug fix update, we no longer store user-entered text of any kind. We also no longer accept crash reports on BugSnag from any version of Sketch that contained the bug that caused this to happen originally.

 

Were more than 81 customers affected by this?

 

Only 81 Sketch account passwords appeared in crash logs in our BugSnag account when we discovered this issue. This number was small because we delete BugSnag data older than three months. It is possible that other Sketch account passwords were previously sent within crash reports but would have been deleted automatically after three months. Again, in this case, this information would only be available to a limited number of Sketch employees with access to BugSnag.

 

Customers with a license key would not be affected by this (as they use their license key to validate Sketch, not a login). Similarly, customers who log in via SSO would not be affected, as the login process takes place in a web browser, not Sketch itself.

 

It is important to note that text entries were logged locally as part of the last 100 taken actions in Sketch for anyone running v96-101.8 of the Mac app. However, this data was only stored locally, and was kept on a rolling basis of the last 100 actions taken in Sketch. This would only ever be sent to us in the event of a crash.

We take your privacy and data security extremely seriously, and we’re incredibly sorry for this incident. As well as taking steps to mitigate the issue in hand, we’re reviewing our practices to make sure an incident like this never happens again.

 

If you have any questions, or need any help updating Sketch, please do contact our customer support team — mail@sketch.com.
Sketch B.V., Flight Forum 40 Ground floor, 5657 DB Eindhoven, The Netherlands
Sketch Blog Sketch Blog Sketch Blog Sketch Blog Mastodon Mastodon Instagram Instagram YouTube YouTube
Privacy statement