On April 7, 2014 a major vulnerability called ‘CVE-2014-0160‘ or ‘Heartbleed‘ was announced for recent versions of OpenSSL, an industry standard program used to secure communication on the internet. FormAssembly, along with many other major industry players, had to address this issue. While we have no evidence that any communication or data on FormAssembly has been compromised, we would like to share with you the steps we’ve taken to remediate the issue and how it impacts you as a customer.
WHAT IS HEARTBLEED:
Heartbleed causes servers to possibly return confidential data when a specially crafted request is sent. This means potentially all communication between the server and clients over HTTPS could be compromised.
WHO IS AFFECTED:
Unfortunately this issue is not limited to FormAssembly users, and is affecting a wide swath of the internet. As the week goes on, you will hear of more services affected by this issue. The following sites have announced that they were affected by this issue: Facebook, Flickr, Yahoo Mail, Slate, and the list goes on.
For users of FormAssembly Enterprise Cloud, their instances were not affected by this issue due to a different software set being in place for their private instances. However FormAssembly Enterprise Cloud customers should please see the ‘WHAT YOU SHOULD DO‘ section below as this issue was not limited to FormAssembly.
WHAT DID WE DO TO RESOLVE THE ISSUE:
Once the issue was announced, we updated all FormAssembly servers that were vulnerable, within the hour of the fix being released. Once that immediate issue was resolved, we began the process of requesting new SSL / HTTPS certificates to ensure all communication between our servers and you is secure. At this time, those new certificates have been deployed and are again protecting our communications and data.
WHAT SHOULD YOU DO:
We have no evidence that any communication or data on FormAssembly has been compromised as a result of this issue.
However, because of the widespread nature of this vulnerability, we’re recommending you change your password on FormAssembly.com, as you may have used your password on a site that has been compromised. No account data or settings could have been compromised as a result of this issue, as we take additional steps to protect account transactions and access.
As part of rolling out the new secure communication certificates, please let us know immediately if you have any trouble communicating with FormAssembly.com, or see any unexpected behavior in your browser.
We apologize for any inconvenience this has caused you. If you have any questions, please contact us here or at firstname.lastname@example.org.
FormAssembly Infrastructure Team
Finally, like our robot above, if you know your IT team, give them a hug today, as this has been a challenge for us all.