Roll20 is served via HTTPS, meaning that it is statistically impossible for you to be served someone else's cookie. That data is encrypted. The transmission was signed by us and signed by you, and encrypted so that only our servers and your computer can decode the information sent afterward. So that even though it passes through 12 or more servers on the path from us to you, none of them should be able to read the data, including your cookie or anyone else's. Our best guess as to what's happening is that you're the victim of a man-in-the-middle attack. This would mean users have had their secure communication hijacked and decrypted, probably because they were compromised from the beginning. The results of the decrypted information are then cached, because this process is expensive to do. That cached information is then served up instead of the authentic request from Roll20 when you attempt to log in. They have a cached result of app.roll20.net/ that was decrypted, including another users cookie and login, and that's what you are receiving. In the past the rare times we've seen this issue have either been because the users were using the same VPN and IP address or the users were all in the same country using the same (usually the only government available) ISP. The countries where we've seen this happen are Egypt, Turkey, Iran, and Syria. The most recent batch of people affected have all been located in Egypt using TE Data as their ISP. Is that the same for you?