The Heartbleed bug has been widely covered in the media recently. It is a serious software bug with the potential to expose users visiting affected sites to spying. We have taken the situation very seriously and, as soon as we became aware of the issue, took immediate steps to ensure that we are not vulnerable to an attacker collecting data via Workbooks.
Until 15 March we were running software that included a revision of OpenSSL 0.9.8 which was not vulnerable to the Heartbleed attack. Therefore, any attacker using Heartbleed could only have done so in the past few weeks (and likely only since Monday 7 April when the vulnerability was announced.) We deployed a patch to address the issue on the morning of Wednesday 9 April, thus it is our considered opinion that there was a very small window of only 48 hours between the announcement and the fix when attacks could have occurred. Further, it is likely that any attackers would have targeted more high-profile sites than ours during that window. If data has been collected, it could have been to:
- Carry out a man-in-the-middle attack – whereby you think you are exchanging information with Workbooks but are actually relaying messages to an attacker. We will deploy new SSL certificates on our service to mitigate this.
- Login to your account. Whilst we think it highly unlikely that we have been affected by the attack, if you are even slightly concerned that an attacker may have acquired data we would recommend that you and all your users change your Workbooks passwords.
- Use any collected data, such as telephone numbers, email addresses, credit card details inappropriately. Most of our customers do not handle highly sensitive data and information such as credit card numbers should always be encrypted so we think it unlikely that an attacker would see value in acquiring the information held in Workbooks.
In summary, please be assured that we have acted quickly to mitigate the likelihood of Heartbleed affecting our customers. We take data security extremely seriously and will always act promptly when aware of potential threats.