Avoiding Tabloid Headlines: Lessons from the Nordnet Incident

Nordnet never officially disclosed the technical reason behind last week’s issues. In case you missed it, here’s their official report: https://www.nordnet.fi/faq/muut-aiheet/ongelmatilanteet/tietoa-teknisista-ongelmista-11-2-2025.

An interesting repository popped up on their GitHub page: https://github.com/nordnet/lettuce-out-of-order. It demonstrates a Lettuce (Redis client) issue that could make Matti receive Maija’s data.

How did Nordnet fix the issue and regain confidence in their system? These kinds of bugs can hide in the code for a long time before they fully surface. Did they simply reduce cache usage during login and hope for the best?

But what if someone deliberately floods the system with requests and triggers this bug again? Security incidents don’t always happen by accident. Once bad actors spot an issue like this, they might try to exploit it. Can you be sure your system won’t make the headlines next?

Spring Boot applications often use Lettuce by default with Spring Redis starters, which makes this issue fairly common. We found the same problem in a customer project using ReactiveRedisTemplate and LettuceConnectionFactory. Running an integration test with 100 concurrent requests, we managed to reproduce the bug.

The good news? Switching from Lettuce to Jedis or Redisson is easy. We quickly implemented a fix for the customer—and avoided the tabloid headlines.

Take action before this turns into a production disaster!