You’ve likely already heard about the “Heartbleed” security vulnerability affecting thousands of websites and millions of servers worldwide. I just wanted to share some quick notes here to address any questions you might have about how this affects Expensify:
- All data is secure. We’ve had no indication that this vulnerability has affected any users in any way.
- All public servers are secure. We’ve done a complete audit of all public webservers and confirmed that they do not have this vulnerability.
- All private servers have been secured. We did find one private monitoring server experiencing this vulnerability, but it does not host any customer data, nor is it accessed by customers. Regardless, it has been shut down and will be secured before being restarted.
- The https://www.expensify.com certificate has been renewed. Even though there was no indication of any wrongdoing by anybody, just to eliminate even the possibility of security risk we’ve replaced our primary HTTPS certificate.
In summary, all is well, and will remain so. Incidentally, while on the topic of security, let me remind you what we do and share some new details:
- PCI-DSS. Everything we do complies with the Payment Card Industry, Data Security Standard. This is the “gold standard” for security, created by Visa and MasterCard, and the official security standard used by banks and financial services worldwide.
- SSAE 16 SOC 1 Type II. It’s a mouthful, but we’re undergoing a comprehensive audit of all internal systems and controls. Most companies won’t care about this, but it’s important to our larger and publicly-traded customers.
- External security audit. Even before this went down, we’ve engaged an outside security firm to do a “deep dive” on our internal security design, as well as do “white hat” analysis and scanning of our systems to verify that they’re implemented correctly.
Security is at the very heart of everything we do. We think of it continuously, so you won’t need to.
Hi David, I appreciate the Heartbleed update. I’m concerned however, because clicking on the certificate shows it was issued in July 2013. I’m also concerned because of all my sites I checked in the LastPass checker this morning, yours was the only one without a green “ok.”
Server software: All your base are belong to us
Vulnerable: Possibly (might use OpenSSL)
SSL Certificate: Unsafe (created 9 months ago at Jun 28 00:00:00 2013 GMT)
Assessment: Wait for the site to update before changing your password
Ah, this is because we just re-issued the old cert with a new key, as opposed to fully renewing the key. This was done to minimize the chance of impact to the rest of the system, as we wanted to expedite the change. The upshot is it has all the same “metadata” as the old cert (name, dates), but has new encryption keys. Sorry for this confusion!