Last week was tricky for any web service that used a version of the OpenSSL library vulnerable to CVE-2014-0160. The Heartbleed SSL vulnerability shocked the world and was probably the Internet’s worst wide-spread security flaw to date.
BusyConf was using a version of OpenSSL that was vulnerable to Heartbleed at the time of the announcement. The affected systems at BusyConf were protected immediately with mitigation steps and later patched with new SSL keys and certificates deployed as soon as it was safe to do so.
When each of our third party service providers announced that they also patched the vulnerabiliity, just to be safe, BusyConf also changed all relevant passwords and rolled all relevant API keys with each service provider.
While we have no evidence that the exploit affected any of our customer’s data, to be safe, we recommend that customers update passwords with all secure services that they use, including BusyConf. We recommend that everyone change their BusyConf management passwords.
Because attendees do not store passwords with BusyConf, no action is necessary for any attendees of conferences that use BusyConf to help manage their events.
It’s worth noting that sensitive credit card information is never passed to BusyConf’s servers. All sensitive data is passed directly to our payment processor. This helps us ensure the highest levels of the Payment Card Industry Data Security Standard to keep your information as safe as possible.
We use several third party services to help manage the BusyConf platform. They all have also made official Heartbleed announcements: