As you may have heard, an internet security vulnerability called "Heartbleed" was recently discovered in the OpenSSL library. (This library is used by many websites to secure data transfers with its users. The irony is not lost on us.) While we don't have any indication that any data or accounts were compromised, we take protecting our users' data very seriously.
As soon as we were made aware of the vulnerability, we began work to apply security fixes to our affected services. We are following industry best practices to deal with the situation.
Timeline on April 8, 2014 (times in PDT):
- 11:56 - Our hosting platform, Heroku, performed maintenance to upgrade all affected services and certificates. Updated OpenSSL libraries were deployed.
- 16:00 - We renewed all of our SSL certificates.
- 17:00 - We signed out all users to ensure that everyone would create new, secure connections.
On the afternoon of Friday, April 11th, we will be requiring all of our users to update their passwords. All users will be required to request a password reset token and choose a new password. Concurrently, we will be updating our password complexity requirements.
Does this sound complicated? It's not. Here's how it'll go for your users.
- We'll send out an email to all users notifying them of the pending changes to their account.
- Users will go to the login page and click "Forgot your Password".
- The user will enter their email address and submit.
- An email with a reset password link will be sent to the user.
- After following the link, the user will be able to enter a new password.
Our support staff will be ready to answer any questions that come up. We'll respond to tickets created through our support site or from email sent to firstname.lastname@example.org.
P.S. We found this article that shows which major web sites were affected and their status in patching the vulnerability. Keep in mind, your passwords should be changed with these services after they've been patched. Otherwise, your password and secure connections are still vulnerable. We also found this simple site-checker that determines if it's time to change your password for a particular site.