As you may have heard, an internet security vulnerability called “Heartbleed” was recently discovered in the OpenSSL library. (This library is used by many websites to secure data transfers with its users. The irony is not lost on us.) While we don’t have any indication that any data or accounts were compromised, we take protecting our users’ data very seriously.
As soon as we were made aware of the vulnerability, we began work to apply security fixes to our affected services. We are following industry best practices to deal with the situation.
Timeline on April 8, 2014 (times in PDT):
- 11:56 – Our hosting platform, Heroku, performed maintenance to upgrade all affected services and certificates. Updated OpenSSL libraries were deployed.
- 16:00 – We renewed all of our SSL certificates.
- 17:00 – We signed out all users to ensure that everyone would create new, secure connections.
P.S. We found this article that shows which major web sites were affected and their status in patching the vulnerability. Keep in mind, your passwords should be changed with these services after they’ve been patched. Your password and secure connections are still vulnerable if they are changed before the servers are fixed. We also found this simple site-checker that determines if it’s time to change your password for a particular site.