Earlier this week, the Internet was hit with the Heartbleed bug that poses a serious threat to mass amounts of private information and data. No customer data stored in Tallie is vulnerable. We’d like to take a moment to help you understand the potential gravity of the Heartbleed bug, how Tallie protected your data, and what you personally can do to prevent compromised data in the future.
What is Heartbleed?
Heartbleed is a security flaw in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). The bug has caused memory contents to leak from the server to the client and from the client to the server. While bugs in software are often fixed by new versions, Heartbleed has proven to be a “super bug” of sorts– leaving extensive amounts of private information vulnerable and exposed online. This extensive exposure, combined with untraceable attacks, makes for easy exploitation.
Your Tallie Customer Data is 100% Secure
On learning of the general issue, Tallie’s Development Team performed an exhaustive assessment of potential exposure and concluded that all user data is secure. Here’s why:
Our public servers are safe. The load balancer we use does not contain or use the affected OpenSSL component, and passes Heartbleed vulnerability testing without issue.
Our private servers are secure. All of our private servers operate within a Virtual Private Cloud (VPC) and are not accessible directly from the Internet. One Amazon Linux-based system within our VPC, which we use for coordination, is being patched, but hosts neither customer data nor sensitive access keys. Even if it were sitting on the internet for all to see, it would not compromise customer data.
Some 3rd party services experienced minor exposure. Some of the 3rd party services we use were vulnerable and have been patched by the providers. For these systems, we are following the recommended mitigation steps by regenerating access keys, though there is no indication of any breach or compromise, and again, no customer data is at risk indirectly via these particular systems.
How to Remain Protected Moving Forward
Stay out of accounts from affected sites until the company has patched the problem. Most major companies should release announcements regarding the status of their security. If they have not, Tallie recommends that you contact the company to verify the safety of your data.
Change your passwords ONLY on officially patched sites. Start with personal financial login information, then email accounts, then software solutions that affect business and professional matters. After all critical accounts have updated passwords, then begin updating the rest of your personal and business accounts.
REMEMBER: In order to truly remain safe, you should diversify your passwords and never use the same password for all critical accounts. If you have used a password for your Tallie account that is shared across several different online accounts, we recommend you change your Tallie password to be safe.
Routinely check on your financial statements. Manually scan your credit card statements, for both personal and business, for any suspicious charges over the next few months. If you see a charge you do not recognize, contact your bank immediately to report it.
The unyielding protection of your information remains our highest priority here at Tallie, and this commitment has proven critical in moments of vulnerability such as this. If you have any additional questions, please leave them in the comments below and we’ll reply as soon as possible!