Security researchers discovered several hash-traps in the legacy authentication module that allowed token collisions.