Hacked. How can a hacker get to the individual-url (token) of my users?

Question

How would you think a hacker is doing the following, and how would you prevent (looking for some helpfull links, keywords or assessment of the sitution)?

Their is a website where users can register and get an invitation Email. The invaitation link (https) contains the token. It looks like 'https://www.example.com/token/123456' (123456 is the token).

It seems that a day after my users clicked on this link, someone else uses the same links too.

How is this possible and how can I prevent this sort of hack?

Thanks

EDIT: Sorry I should have given more information. I can eliminate the opinion that it is not just a try of random token variations. Why? The exact token is used a day after one of the user had use the link. The token is a hash token of more that 20 characters.

Answer 1

They can just run a script to try any numerical value in the token value.

it's easy. How long is your token? I would also suggest using a hash token rather than a simple numerical one to limit automatic processing, as the "hack" is scripting to try a number, gets a result - store the result, and then number = number + 1;

Edit: What evidence do you have you've been hacked? What happens in your script once someone has clicked the token link?

Answer 2

A simple logic to apply could be:

1. define a string pattern. like: secretconstant%email
2. hash the string and now you have the token (and save it)
3. create your invitation url with the token

If someone call your service with random token you can reject them because your information system don't have saved that token. Then if you have the token you must discard it so the link will not be valid anymore.

You could check also if the email used in the registration is the same used for calculate the token.. so you may block the registration!