Hi – as some of you are no doubt aware, there has been a security vulnerability discovered this week in the software that pretty much the whole internet uses for secure communications. More about the vulnerability (named Heartbleed) can be found here:http://heartbleed.com
At Folksy, as soon as we heard about the issue, we immediately patched all of our application servers. We don’t store any payment details or unencrypted passwords on these or any other servers at Folksy, but these are the servers that would be the first target of any attack, had it been made, so these were protected first.
We then went through all of our services (like the image service) and any other machines running OpenSSL and patched those.
Finally, we regenerated all of our secure communications certificates, and cycled those on all of our servers and services.
Unfortunately, there is no way of knowing whether any servers that have been running the vulnerable versions of OpenSSL have been compromised or not. As we can’t definitively state that there hasn’t been an attempt to compromise our servers, we are recommending — along with most other online services — to all of our users that they change their Folksy passwords. This can be done by visiting the “Change password and email” section of your dashboard, or just by visiting here:https://folksy.com/myprofile/your_details
The change to your password will be made in complete security, as all of our servers have been patched and are running new security certificates.
For users worrying about their PayPal account details, PayPal have issued the following, very reassuring statement: https://www.paypal-community.com/t5/PayPal-Forward/OpenSSL-Heartbleed-Bug-PayPal-Account-Holders-are-Secure/ba-p/797568
We hope that this post reassures any of you that are worrying about this serious security vulnerability that we have addressed the issue thoroughly. We also are continually monitoring important web security news, and constantly reviewing our security.