OpenSSL, the open source cryptographic library reported the Heartbleed vulnerability on April 7, 2014. The vulnerability allows stealing the information protected, under normal conditions, by SSL/TLS encryption.
We have had no evidence that this vulnerability was used against Sprintly but we have taken all necessary precautions to ensure the continued safety of your information.
Actions We Have Taken
- Within hours of the official report from OpenSSL, we patched and verified all our servers for CVE-2014-0160.
- We use Amazon’s ELB product for load balancing. They patched our region a few hours before we patched our servers.
- We have re-issued new SSL certificates to all our servers.
- We have rotated all of our SSH, Chef, and AWS API keys throughout our infrastructure.
- We have rotated all 3rd party API keys we use to provide services, such as Transloadit (file processing) and Postmark (email).
- We have set up our Chef nodes to re-key themselves every 24 hours. We suggest you do the same.
- Friday night we flushed all active sessions. This means you will have to log into Sprintly again when you get back to work Monday. Apologies in advance for any inconveniences.
Additional Precautions
You may consider taking these additional precautionary measures on your Sprintly account:
- Change your Sprintly password
- Reset your Sprintly API key
Both settings may be found in the Profile menu under your Gravatar.
Again, we have had no indication that this vulnerability was used against Sprintly but do feel that it is a good habit to keep your passwords and security keys regularly updated.
If you have any questions or concerns, please feel free to contact us at support@sprint.ly.