Apr 11, 2014
Earlier this week, the Internet was hit with the Heartbleed bug that poses a serious threat to mass amounts of private information and data. No customer data stored in SpringAhead Time & Expense is vulnerable. We’d like to take a moment to help you understand the potential gravity of the Heartbleed bug, how SpringAhead Time & Expense protected your data, and what you personally can do to prevent compromised data in the future.
What is Heartbleed?
Heartbleed is a security flaw in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). The bug has caused memory contents to leak from the server to the client and from the client to the server. While bugs in software are often fixed by new versions, Heartbleed has proven to be a “super bug” of sorts– leaving extensive amounts of private information vulnerable and exposed online. This extensive exposure, combined with untraceable attacks, makes for easy exploitation.
Your SpringAhead Time & Expense Customer Data is 100% Secure
On learning of the general issue, the SpringAhead Development Team performed an exhaustive assessment of potential exposure and concluded that all user data is secure. Here’s why:
Our public servers are safe. The load balancer we use does not contain or use the affected OpenSSL component, and passes Heartbleed vulnerability testing without issue.
Our private servers are secure. All of our private servers operate within a Virtual Private Cloud (VPC) and are not accessible directly from the Internet. One Amazon Linux-based system within our VPC, which we use for coordination, is being patched, but hosts neither customer data nor sensitive access keys. Even if it were sitting on the internet for all to see, it would not compromise customer data.
No 3rd party services experienced exposure. We have been in direct contact with all of our 3rd party services, and all have confirmed their systems were never vulnerable to Heartbleed.
How to Remain Protected Moving Forward
Stay out of accounts from affected sites until the company has patched the problem. Most major companies should release announcements regarding the status of their security. If they have not, SpringAhead recommends that you contact the company to verify the safety of your data.
Change your passwords ONLY on officially patched sites. Start with personal financial login information, then email accounts, then software solutions that affect business and professional matters. After all critical accounts have updated passwords, then begin updating the rest of your personal and business accounts.
REMEMBER: In order to truly remain safe, you should diversify your passwords and never use the same password for all critical accounts. If you have used a password for your SpringAhead Time & Expense account that is shared across several different online accounts, we recommend you change your SpringAhead password to be safe.
Routinely check on your financial statements. Manually scan your credit card statements, for both personal and business, for any suspicious charges over the next few months. If you see a charge you do not recognize, contact your bank immediately to report it.
The unyielding protection of your information remains our highest priority here at SpringAhead, and this commitment has proven critical in moments of vulnerability such as this. If you have any additional questions, please leave them in the comments below and we’ll reply as soon as possible!