This week, a serious security leak in OpenSSL came to light. The leak – named Heartbleed – also made AppSignal vulnerable. We have taken the following steps to secure our systems:
We immediately patched all our systems to use a version of OpenSSL with a fix for Heartbleed on Tuesday. This includes both our loadbalancers and Ruby installs.
We changed our SSL keys and reissued our certificates.
We replaced API tokens for external services we use.
We set a new session secret so all users have had to log in again.
We advise our users to change their password, user API token and Github credentials on AppSignal. We have no evidence of any malicious activity, but better safe than sorry. If any new information becomes available we will post it here and on our Twitter feed.