Heartbleed vulnerability update

This week, a major security flaw was detected in OpenSSL, the open-source encryption standard used by the majority of websites and services. We took immediate steps to patch the potential vulnerability in our infrastructure, and Asana is no longer vulnerable.

We have no evidence of any malicious behavior, but we strongly encourage you to change your Asana password. We also recommend you change your passwords everywhere else, since this vulnerability affects many services and websites you use.

Please let us know if you have any questions or concerns.

Would you recommend this article? Yes / No
  • Chris Vale
    Any visibility on when you guys patched? If we already reset on Tuesday night, are we good?
    • Alex
      We switched to our new certificate (the last step of our patching) in the early afternoon on Tuesday (PST). If you changed your password on Tuesday night, you should be fine.
      • andre
        Alex — is this still needed -6/2/2014
  • Holger
    Heartbleed’s vulnerability existed for the past two years. Let’s stay calm and reasonable. Yes, change your passwords, like you always do every month.
  • Melissa
    Changing your password every month is calm & reasonable? I need to lie down…
    • Tyler
      LastPass! Changing once a month is a little extreme / one of the reasons I don’t work for a big corporation :)
      • Alex
        ++ on lastpass!
        • jwjb
          Both Asana and LastPass get a <3 for their quick action and reporting. Just ran a Security Check on my LastPass Vault and out of 1361 sites scanned, LastPass is recommending 18 for 'Go update!' and 6 to 'Wait' of which Asana is 1 of the 18 sites to update where it shows 'asana.com' updated their certificate 3 days ago which coincides with this Blog post too. At this point, I am surprised and pleased that there are just 18 sites out of the 1361 sites in my LastPass Vault that need to be updated as I was expecting a lot more. Again, lots of <3 and +1 for Asana and LastPass for making these security updates as easy as possible.
      • Matt
        MOAR LASTPASS!!! :D
  • Adam
    FYI I’m getting a redirect from your home page and “change your password” link to edX but with your URL…https://asana.com/course-list
  • Hernando
    Try to switch once a year AT LEAST, but once a month is very reasonable… recommendation: http://keepass.info/
  • Shoop
    I wish someone hacked into my asana account and finished all my tasks for me. Definitely NOT changing my password, actually, email me if you want it :)
    • Anne-France
      I love you, Shoop. If you find someone to hack into YOUR asana account, give them MY asana account info, too. Then we can run off together, and have NOTHING to do. Aaahhhh….
      • Jennifer
        Great idea! Let’s start a task train. You do mine I’ll do someone else’s and so on. However, I request the person after me has like five tasks…
        • August
          Jennifer, I like your idea. Have you ever noticed how it is much easier and more fun to do dishes at someone else’s house? Taking care of someone else’s kids or pets is easier than your own?

          Years ago my mom was in a babysitting co-op where the families would trade babysitting and keep track of hours. No money changed hands. I’m wondering about a personal assistant co-op where you could get help with all the stuff you are procrastinating in exchange for doing internet research, writing letters, whatever there is that could actually be done by someone else.

          Just an idea.

          • Bemo
            Not just an idea… but possibly a great idea. Working on someone else’s procrastination list seems almost easier for some reason.
          • K8
            I’m totally into this idea. Feel free to email me any time if someone wants to get this off the ground.
          • Thomas
            If it were me, I’d probably just get the other person to use Taskrabbit. That way the infrastructure is all taken care of. Just don’t exchange any money. :)
    • B
      Good one
    • Terence
      Haha.. I will also be willing to pass on my pwd if the hacker wouldn’t mind completing my tasks.. Great response Shoop!
    • V.
      Totally agree with you :)
    • cm
      already our of curiosity send it to me… ;)
      no idea if I will help you but at least good for benchmarking myself….
  • Patrick
    Really! if you want to hack my account at least take some of my tasks away!
  • Kenneth
    Does this apply to people who log in via their Google accounts? Another service we use said that if you log in to their site via a Google account, nothing needs to be changed.
    • Enrico
      Good point! We are in the same situation – Alex please please on this!
      • Rob
        I’m wondering the same thing! I changed my google password… so does anything need to be changed in Asana??
    • Alex
      If you’ve only logged in with a Google account, then you don’t need to update anything.
      • Paul
        Thanks for this… you might want to update the post above or the warning in Asana to let people know as I tried changing my password and it wasn’t letting me (duh, because I’ve used Google account since day 1).

        Thanks!

      • Ken Simpson
        In other words, Google, once again, is totally amazing.
      • Daniel
        Just make sure you changed your Google password after they patched their servers.
  • Ellen
    If we are using Google oAuth & don’t have an Asana pw — any issues? Should we destroy credentials and reconnect?
  • Chan
    Will it affect those who logged in with Google accounts as well?
  • Mark
    “This week, a major security flaw was detected in OpenSSL, the open-source encryption standard used by the majority of websites and services.”
    Apparently less than 1/5 of trusted sites effected.
    http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
  • David
    Have you patched your other potentially vulnerable devices like your routers?
    • Alex
      We run on AWS, so we don’t have control over any routers. However we don’t believe this should present any risk to user data — all of the endpoints where user data is encrypted and decrypted have been patched.
  • Pingback: Heartbleed and Small Business Security. Hearbleed's Affect on 7 Small Business Web Sites. - Smallbiztechnology.com()

  • Pingback: Heartbleed and Small Business Security. Hearbleed’s Affect on 7 Small Business Web Sites. | ColderICE: Ecommerce News, Hints, Tips & Tricks()

  • Pingback: The Affect of Heartbleed on Commonly Used Small Business Websites()

  • Pingback: The Affect of Heartbleed on Commonly Used Small Business Websites / Infotech Solutions | Web Hosting, Web Design, Graphics Design, SE0, Online Marketing Services()

  • Pingback: The Affect of Heartbleed on Commonly Used Small Business Websites - KidsProfitOnline.com()

  • Pingback: The Affect of Heartbleed on Commonly Used Small Business Websites | XYRM Innovation()

  • Pingback: Heartbleed and Small Business Security. Hearbleed’s Affect on 7 Small Business Web Sites. | XYRM Innovation()

  • Aarne
    With havin so much written cnonett do you ever run into any issues of plagorism or copyright infringement? My site has a lot of unique cnonett I’ve either authored myself or outsourced but it seems a lot of it is popping it up all over the internet without my agreement. Do you know any ways to help reduce cnonett from being stolen? I’d really appreciate it.
  • Thresa
    Please let me know if you’re looking for a autohr for your weblog. You have some really great posts and I believe I would be a good asset. If you ever want to take some of the load off, I’d absolutely love to write some content for your blog in exchange for a link back to mine. Please blast me an email if interested. Cheers!