Security announcement: Heartbleed CVE-2014–0160
We’d like to let you know about a severe security vulnerability that has just been announced and has affected the majority of the internet.
Joel Friedlaender·
This is not something you need to be alarmed about, but something you should be aware of. As always, the security of your information is our top priority and we’d like you to know what has been going on recently.
On the 8th of April, 2014 at 3:30am AEST, a bug known as Heartbleed (official reference CVE-2014–0160) was publicly announced. This bug is a serious vulnerability in the popular OpenSSL cryptographic software library.
OpenSSL is a library used by most online systems (estimated 66% of the internet) to handle secure internet traffic. Secure internet traffic is the HTTPS (or green lock) you see in your browser URL when using secure sites such as Online Banking, Credit Card Forms and Cliniko.
How it affected Cliniko
At Cliniko, we were using the affected OpenSSL library (as is the majority of the internet). This means that Cliniko was vulnerable to this security flaw. Whilst vulnerable, we have no reason to believe that any attack was made on our systems or any data was exposed.
What we have done about it
Since the public release of this information on 8th of April, 2014 at 3:30am AEST, we worked as quickly as possible to secure our systems from this vulnerability. By 9th of April, 2014 at 5:55am AEST we no longer used the vulnerable version of OpenSSL and had re-keyed our SSL certificates (the appropriate actions required to resolve this security issue).
What you should do
Whilst we have no reason to believe any information was exposed from Cliniko, we do recommend you change all your passwords to something new and secure. This is playing it very safe, but we think that’s the best approach when it comes to security.
We also recommend you change all your passwords with other internet services (eg. facebook, internet banking, email, etc.) too. Importantly, you need to wait until these services have secured themselves from this vulnerability before you proceed with changing your password.
Summary
This is the largest security vulnerability to hit the internet that I can recall. It is a big deal and we think you should know about it. We also don’t believe any attack has been made against Cliniko and that your data is still in the safest place possible. We’ve acted very quickly and fixed our systems as fast as possible. We are no longer exposed to this vulnerability.
We do recommend you change your passwords in Cliniko and all other online systems once you know they have fixed the issue.
If you want to find out more, google “Heartbleed”, it’s quite a popular topic right now.
If you have any questions about this at all, please do let us know and we’ll provide any assistance we can.