On Monday, the internet experienced one of its most serious security vulnerabilities in a long time: an OpenSSL bug called “Heartbleed”. This affected the majority of internet services, and Flowdock was no exception. However, we have no indication that the vulnerability has been used to attack Flowdock.
The version of OpenSSL that we used was vulnerable, and we reacted to the announcement within minutes. Our operations team investigated the issue and fixed all vulnerable systems between midnight and 4 AM (Helsinki time, UTC+3). All holes had been plugged before an exploit was publicly available.
To further minimize risks, we are changing all SSL certificates and invalidating all user sessions. UPDATE: As of Apr 10 07:00 AM (UTC), all sessions have been invalidated and the SSL certificates updated. Because of this, all users will need to log in again. We apologize for the inconvenience, but we want to be absolutely sure that it’s not possible for attackers to steal your user session. For added security, we are also looking into enabling an SSL feature called PFS.
We’re doing everything we can to mitigate any risks, and reacted to the issue in a timely manner. We don’t have a reason to believe that any customer data was compromised, but it might not be a bad idea to change your password in all the services you use on the internet.