Heartbleed vulnerability update

S. Alex Smith and Malcolm Handley

This week, a major security flaw was detected in OpenSSL, the open-source encryption standard used by the majority of websites and services. We took immediate steps to patch the potential vulnerability in our infrastructure, and Asana is no longer vulnerable.

We have no evidence of any malicious behavior, but we strongly encourage you to change your Asana password. We also recommend you change your passwords everywhere else, since this vulnerability affects many services and websites you use.

Please let us know if you have any questions or concerns.

    1. avatarAlex Asana Team Member

      We switched to our new certificate (the last step of our patching) in the early afternoon on Tuesday (PST). If you changed your password on Tuesday night, you should be fine.

  1. avatarHolger

    Heartbleed’s vulnerability existed for the past two years. Let’s stay calm and reasonable. Yes, change your passwords, like you always do every month.

        1. avatarjwjb

          Both Asana and LastPass get a <3 for their quick action and reporting. Just ran a Security Check on my LastPass Vault and out of 1361 sites scanned, LastPass is recommending 18 for 'Go update!' and 6 to 'Wait' of which Asana is 1 of the 18 sites to update where it shows 'asana.com' updated their certificate 3 days ago which coincides with this Blog post too. At this point, I am surprised and pleased that there are just 18 sites out of the 1361 sites in my LastPass Vault that need to be updated as I was expecting a lot more. Again, lots of <3 and +1 for Asana and LastPass for making these security updates as easy as possible.

  2. avatarShoop

    I wish someone hacked into my asana account and finished all my tasks for me. Definitely NOT changing my password, actually, email me if you want it :)

    1. avatarAnne-France

      I love you, Shoop. If you find someone to hack into YOUR asana account, give them MY asana account info, too. Then we can run off together, and have NOTHING to do. Aaahhhh….

      1. avatarJennifer

        Great idea! Let’s start a task train. You do mine I’ll do someone else’s and so on. However, I request the person after me has like five tasks…

        1. avatarAugust

          Jennifer, I like your idea. Have you ever noticed how it is much easier and more fun to do dishes at someone else’s house? Taking care of someone else’s kids or pets is easier than your own?

          Years ago my mom was in a babysitting co-op where the families would trade babysitting and keep track of hours. No money changed hands. I’m wondering about a personal assistant co-op where you could get help with all the stuff you are procrastinating in exchange for doing internet research, writing letters, whatever there is that could actually be done by someone else.

          Just an idea.

          1. avatarBemo

            Not just an idea… but possibly a great idea. Working on someone else’s procrastination list seems almost easier for some reason.

          2. avatarK8

            I’m totally into this idea. Feel free to email me any time if someone wants to get this off the ground.

          3. avatarThomas

            If it were me, I’d probably just get the other person to use Taskrabbit. That way the infrastructure is all taken care of. Just don’t exchange any money. :)

    2. avatarTerence

      Haha.. I will also be willing to pass on my pwd if the hacker wouldn’t mind completing my tasks.. Great response Shoop!

  3. avatarKenneth

    Does this apply to people who log in via their Google accounts? Another service we use said that if you log in to their site via a Google account, nothing needs to be changed.

      1. avatarPaul

        Thanks for this… you might want to update the post above or the warning in Asana to let people know as I tried changing my password and it wasn’t letting me (duh, because I’ve used Google account since day 1).

        Thanks!

    1. avatarAlex Asana Team Member

      We run on AWS, so we don’t have control over any routers. However we don’t believe this should present any risk to user data — all of the endpoints where user data is encrypted and decrypted have been patched.

  4. Pingback: Heartbleed and Small Business Security. Hearbleed's Affect on 7 Small Business Web Sites. - Smallbiztechnology.com

  5. Pingback: Heartbleed and Small Business Security. Hearbleed’s Affect on 7 Small Business Web Sites. | ColderICE: Ecommerce News, Hints, Tips & Tricks

  6. Pingback: The Affect of Heartbleed on Commonly Used Small Business Websites

  7. Pingback: The Affect of Heartbleed on Commonly Used Small Business Websites / Infotech Solutions | Web Hosting, Web Design, Graphics Design, SE0, Online Marketing Services

  8. Pingback: The Affect of Heartbleed on Commonly Used Small Business Websites - KidsProfitOnline.com

  9. Pingback: The Affect of Heartbleed on Commonly Used Small Business Websites | XYRM Innovation

  10. Pingback: Heartbleed and Small Business Security. Hearbleed’s Affect on 7 Small Business Web Sites. | XYRM Innovation

Leave a comment