tl;dr Freckle was patched on Monday within hours of public knowledge of this security problem. We recommend that you change your password and API token.
This Monday (April 7, 2014) afternoon (ET) the Heartbleed bug (CVE-2014-0160) was made public. It is a very serious security problem with the way web servers (like Freckle) handle encrypted data. (For a non-nerdy explanation see this XKCD comic!)
This vulnerability affects a large number of web sites and applications, from big ones like Google, Facebook, Yahoo, Twitter, GitHub, your bank and so on down to smaller services like Freckle.
The gist is that an attacker could have read some encrypted data, including passwords and other sensitive information; as well as impersonated other people and logged in to their accounts. Unfortunately there’s no way to know for sure that we’ve been affected or not. _We do not have any indication that any Freckle data was exposed._
We take your data security very seriously, and immediately dropped what we where doing to fix this problem.
Steps we’ve taken to fix this problem: (warning, nerdspeak ahead!)
- Within a few hours of the vulnerability becoming public knowledge, we’ve patched our servers and issued a new SSL certificate. The old SSL certificate has been revoked.
- We’ve changed the encryption keys used for our cookies, making it impossible to use older cookies that may have been exposed to sign in. This reset all active browser sessions. (You may have noticed that you had to sign in again.)
- We’ve updated internally used passwords and API keys.
- A while ago, we enabled Freckle to use Perfect Forward Secrecy, which makes it almost 100% impossible that anyone could read past traffic data exposed by the Heartbleed bug.
- Additionally we have our normal security measures in place.
Steps we advise you to take:
- Change your Freckle password. While we don’t think passwords have been exposed, it’s a good idea to change passwords from time to time anyway. We recommended not to use the same password as on other services.
- Generate a new API token. If you use our API, please generate a new token, just to be sure.
- If you run your own servers that use SSL, as many of our customers do, please update them, now.
If you have any questions, please contact us at [email protected].