Last Tuesday (8th April) we had a period of unexpected downtime on the site (from 8pm BST). This turned out to have been caused by Heroku (our hosting platform) resetting their SSL certificates in response to the now infamous Heartbleed bug. (One of the advantages of using a platform like Heroku is that you have the people on top of these issues as soon as they arise.)
However there were still some steps that we had to take ourselves, and this post is a short summary of the action we took to secure YunoJuno in light of Heartbleed (much of which is taken from Heroku's own advice).
- Updated our SSL certificate.
- Cleared all live sessions from our database.
- Reset our own logins (admin logins, remote service logins).
- Updated all of our API keys (LinkedIn, Twitter, Github).
These actions were all completed first thing on Wednesday morning (9th April). The net result of this action to our users is that everyone will have been logged out of www.yunojuno.com, and on logging back in will have been forced to re-authenticate with their chosen login service provider (LinkedIn, Twitter, Github).
We don't store any financial information, nor do we store passwords for the majority of users (as we rely on third-party authentication), however this bug is something that everyone should take seriously, and we'd advise all our users to reset passwords wherever they can, and to keep an eye out for unusual activity on any online account.
Most of all - I'd personally recommend that everyone change their email provider password - as this article points out, losing access to your own email account can lead to a truly awful outcome.