heartbleedYou may have heard some talk recently about the “Heartbleed bug.” That’s the scary-named vulnerability that was just discovered in the software library that protects many sites on the internet – including Buffer.

We wanted to make sure to tell you exactly what we know and what we’ve done about Heartbleed at Buffer to keep your information as safe as possible.

What is Heartbleed?

The Heartbleed bug was just recently discovered on April 7th in OpenSSL, a kind of cryptography software that protects an estimated 66%+ of the entire web. It can allow anyone on the internet to decrypt protected web traffic and potentially uncover names, passwords, and content you send to secure web sites. Although it was just found, the bug has been around for more than two years, which means a lot of sites that we all use every day may have been affected. That’s the gist, but you can learn a lot more about it at the Heartbleed FAQ.

How Buffer has reacted

To fix the vulnerability in Buffer, we have worked with Amazon Web Services to patch the vulnerability and re-keyed all of our SSL certificates. This closed the vulnerability for all Buffer customers. That means for your security, you’ll be logged out of your Buffer account and will need to sign back in. We know this isn’t ideal, and we’re really sorry to add these additional steps to your day.

What you can do to stay safe

Since we’ve made these updates, your data is now safe in Buffer. We would encourage you to change your password for Buffer and any other site that you log in with. (Check first to make sure they’ve fixed the vulnerability, though – otherwise you might have to change it again later. Services like Lastpass can help you navigate which sites are vulnerable and when you’re clear to change your password.) 

And if you haven’t activated Buffer’s optional 2-step login , now would be a great time to do that. It’s the most secure and safest way to handle your social media accounts. 

One final note: Although this security breach affects far more than just Buffer, we’re who you trusted with your data and we take that trust and responsibility very seriously. We’re really sorry this happened.

Got questions about Heartbleed, web vulnerabilities and Buffer? We’re here to help.

If you’re interested in more information about what the Heartbleed vulnerability is and things you can do to protect yourself, here are some great links.   Some of these links may be a bit technical, if you have any questions at all about this, just tweet us!

Free up your day with our Social Media Tools

Buffer can save you up to an hour a day and grow your traffic too.

Learn More
Written by Courtney Seiter

Courtney writes about social media, diversity and workplace culture at Buffer. She runs Girls to the Moon on the side and pets every dog she sees.

  • mhsutton

    Great to hear you folks are on the ball! Wouldn’t expect anything less from my favorite company.

    I did spot this typo: “our our SSL certificates”.

    • Courtney Seiter

      Whoops! Great catch; thanks for spotting it! :)

  • http://kitokid.com/tag/%D8%A7%D9%84%D8%B9%D8%A7%D8%A8-%D8%AA%D9%84%D9%88%D9%8A%D9%86/ kitokid

    good for webmasters

  • http://www.kinsta.com/ Mark Gavalda

    Buffer is always looking out for its users, I love you guys :)

    • Courtney Seiter

      Thanks, Mark–that really makes us so happy to hear! :D

  • armanketigabelas

    This is the first time I heard about heartbleed, thanks Courtney, thanks Buffer..

    • Courtney Seiter

      It’s scary stuff! Lots of password changing will be going on this week!

  • http://www.brand.com/blog James R. Halloran

    Thanks, guys! I always admire how you guys relay sensitive information to your users. We’re not even mad. We completely understand! :-)

    • Courtney Seiter

      So glad to hear that, James; we take our responsibility with your data very seriously!

      • Yangbo Du

        Given the number of security threats that appear daily, yours was the first word I received about Heartbleed — keep up the constant vigilance.

  • http://lostpr.es/ David Iwanow

    So everyone keeps saying use LastPass but if you look on the lists circulating on who was hit http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ LastPass is on there…

    • http://waleedzuberi.com/ Waleed Zuberi

      According to their blog post, their server was vulnerable, but because user data is also locally encrypted before it gets sent to their servers (using SSL), it was never really at risk. That’s the second layer of protection they’re talking about.

      Link: http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

    • Courtney Seiter

      I’m definitely no expert here, but I think they’ve applied the same patch that we and other sites have – and might even have some additional layers of security.

  • Amanda Proo

    Thank you so much for posting this explanation and update!

    • Courtney Seiter

      Happy to help!

  • http://www.nootropicmind.com Brook

    Thanks for alerting us to this issue, I didn’t know how bad it was.

    • Courtney Seiter

      Yes, I learned a lot more myself researching this!

  • EL

    Are you guys going to contribute resources to OpenSSL development? Perhaps – at minimum – a full audit of the code?

    • sunils34

      Hi There! That’s a good question! The OpenSSL community is a large one and comprised of many top web companies (Google. What was concerning is OpenSSL is the de facto standard library that most sites on the web use for SSL encryption and that’s why this was shocking. OpenSSL is well tested The engineers at Buffer did a deep review of the heartbeat vulnerability and the fix that was made with OpenSSL and our set up as well as dug deeper into the OpenSSL library to look for other potential vulnerabilities.

      Unfortunately I don’t think at the moment we’d be able to contribute as much as we’d like to OpenSSL development, however we’ll definitely be more conscious of the software libraries that we use and ensure we’re always up-to-date and jump quickly on any new known vulnerabilities.

  • Tony

    Courtney, great article and I am a user of buffer. Glad you guys are patched.

    Lastpass is patched, but their heartbleed tool is not accurate yet. We are all scrambling to get something solid.

    • Courtney Seiter

      Great info to know, Tony; thanks so much for sharing that.

      • Tony

        :) Courtney. I have been working on Chromebleed with Jamie Hoyle and Filippo Valsorda. Should have v2 up in next few hours.

  • http://www.VAforAuthors.com/ Sarah Houldcroft

    Thanks Buffer People, it is good to know that you are looking after us. :)

  • http://www.thetravelmanuel.com/ Vaughan McShane

    Ya’ll rock. Thanks for the update.

  • http://bit.ly/Pcd0hZ Traci Loudin

    Thanks for the heads up!

  • Rodrigo Chiong

    Good to know! Did you also reissue your SSL certificates? If not, changing passwords may still prove innefective. Anyway, thanks for the heads-up and the quick patch!

    • sunils34

      Hey Rodrigo! Great question! We did reissue/re-key our SSL certificates with a new private key. We’re working with our Certificate Authority to revoke the old SSL cert. Let me know if you have any more questions about this!

      • Rodrigo Chiong

        Good to know! Thanks for the quick reply, now’s a great time to change my Buffer password then.

  • http://www.amcanna.com/ AmCanna

    Can’t login now. Tried resetting password. All ends up with Security code. However, I receive on my phone and the site says it’s incorrect!! Now they don’t even come into my phone!!!
    Very annoying!!
    Please fix this before saying you fixed it!!

    • Courtney Seiter

      So sorry about this trouble you’re having! It sounds like it might be an issue with 2-step authentication? Would you mind terribly taking a screenshot of what you’re seeing and sending it to us at at hello@bufferapp.com? I’d really love to get you all set up here; so sorry for the trouble!

  • http://rayvellest.com/ Ray Vellest

    Great news! Thanks for being so transparent in the way Buffer does its business, especially when dealing with nasty things such as heartbleed.

    • Courtney Seiter

      We’re really happy to–it’s the right thing to do!

  • Robert Mares

    The first site which explains why i have to log in again! Thanks. Now i also now why some others did this. And curious … why a lot didn’t force me to relogin .. ;-( feeling safe with Buffer!