This is an update to an earlier blog post about the Heartbleed bug.

tl;dr – Wave was not compromised by Heartbleed and neither were our critical technology partners.

As promised, here's an update on the Heartbleed bug and what we've been up to in response to it.

As soon as the Heartbleed bug was announced, we knew and reported immediately that Wave's systems were not directly vulnerable. More specifically, the version of OpenSSL used by Wave was not a version that was subject to the Heartbleed bug.

Next step: Confirm with our critical partners whether they had been impacted — in other words, find out if Wave was indirectly vulnerable. Happily, we can report that our hosting provider was not vulnerable to the bug, and our bank data partners report no problems as well.

After that, out of an overabundance of caution, we compiled a massive list of every service we use, and made sure that all of them were safe to use again. And we changed all our passwords, across our entire organization.

For any company that couldn't provide the right assurances that they were safe to use, we have suspended their use pending their further actions. Fret not, this has no impact on Wave customers: The only companies in this bucket are tools for administrative use, like meeting planning or screen sharing.

What should YOU do?

You're reading this blog post about Heartbleed, so we're off to a good start. In my last post I suggested you follow an action plan similar to what we did:

  1. Think of all the services you use online (the size of this list may surprise you by the time you're finished).
  2. Systematically go through each one and verify if they were affected or not.
  3. If they were affected, verify that they've fixed the vulnerability and then change your passwords.

Most sites that were impacted by Heartbleed are reaching out to their users to tell them to change their passwords. If you haven't received something from a company, don't be afraid of reaching out proactively. The person best suited to protecting you is you. (Also, I hear you're pretty good at preventing forest fires.)

Are you done, then? No! I strongly recommend that you be extra diligent over the coming months. Watch out for phishing emails saying things like, “Hey Jim, I forgot to pay you back for that thing I bought — send me your bank credentials so that I can wire you some money.” If you get messages that ask for or talk about your money and you're not sure about the source, treat it with caution. For example, your bank wouldn't actually send you to a site like TD.passwordreset.12312312343.cn.com to change your credentials. If you're resetting a password, make sure you see the https in front of a URL you recognize. If you're following links from one page to another, verify that you actually ended up where you were headed, not a page that just looks like it.

In closing:

You'll hear this from time to time: Here at Wave we take security very seriously. That's not a canned response. We mean it. Part of our commitment is being open and honest, even when the news isn't great. For many of you, your business is your life. We understand that, we respect it, and we'll continue to treat events like these as life-threatening.

Finishing where I started, though: I'll reiterate that Wave and our critical technology partners were not affected by the Heartbleed bug.

So you can...

keep calm

(a little accounting humor to lighten up a dry subject)