“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
― Security expert, Bruce Schneier, responds to Heartbleed
On Monday the 7th of April 2014, a software flaw was identified which exposed approximately two thirds of the web to the risk of catastrophic security failure. The flaw has been dubbed “Heartbleed“.
The potential for exploiting this has now been mitigated by many providers, including ScraperWiki. The ramifications are only slowly becoming understood.
We at ScraperWiki recommend that you change your passwords on all websites of importance to you, especially with your bank, email and anything that can be used to impersonate you; regardless of whether you have used those passwords anywhere else.
What’s the problem?
It turns out that there was a programming mistake in a piece of software
which underpins a significant portion of the web. Anyone who understood the mistake could ask most websites on the internet to tell them the credentials (passwords and usernames) of random people.
On Monday night, the mistake became known to hundreds of thousands of people around the world, good guys and bad. Since the attack can be automated to rapidly divulge potentially millions of credentials, it is very likely that large numbers of our passwords are now compromised.
The nature of the leak means that it is very difficult if not impossible to know if information was stolen for the whole time the mistake was present, since 2012. However, as of writing, there is no positive evidence that it was exploited before the announcement on Monday evening.
What does that mean?
It means that for a period of approximately 12-48 hours anyone could download a program which could be pointed at many websites on the internet — including the likes of banks, social media websites, email and ScraperWiki — and obtain passwords for users who recently logged in, along with other data which could be used to impersonate them, with no audit trail.
How has ScraperWiki responded?
Immediately upon learning of the vulnerability, we upgraded our servers and restarted them, making them safe against this attack.
Out of an abundance of caution we re-keyed our servers, obtained new SSL certificates and invalidated all login sessions – meaning you will have had to re-enter your password to access your data on ScraperWiki.
We’ve also reviewed our security practices and beefed up our servers to enable the latest encryption technology to keep your ScraperWiki credentials and data safe, should other attacks of this nature be discovered.
The effects of Heartbleed may be felt for some time. The internet hosts of the world are reeling from this event. It is worth your while to take a moment to protect yourself by changing your passwords now.