Security Update: Heartbleed OpenSSL vulnerability

UPDATE: 2014-04-16 We have confirmed that all old certificates have been added to the Certificate Revocation List (CRL) provided by the certificate issuer by April 15th at 8:38. 

On April 7th, a critical vulnerability in the widely used cryptography library OpenSSL was reported. 

This vulnerability, known as Heartbleed, allows an attacker to steal private information stored on our services from the outside.

What we’re doing for the issue

Soon after we noticed the issue, we started to protect our services and the websites we’re maintaining.

As of  April 8th, 14:00 (UTC), we’ve completed patching the affected versions of OpenSSL on all our servers. We have also confirmed that the affected load balancer provided by Amazon Web Services that we are employing in some of our services was fixed on April 9th at 0:00 (UTC). For AWS’s update on this issue, see here.

So far, we’ve not detected any attacks against our services. However, it is known that the nature of this vulnerability makes any detection difficult. Therefore, we have decided to update the SSL certificates used in all of our services and completed it on April 9th at 4:00 (UTC).  Old certificates will be revoked by certificate issuers.

In addition, we plan to reset all auto log-in information created before April 9th on each service. Some of you may have to re-sign in to our services.

Although we have run the necessary measures and ensured that we are no longer under threat using the SSL Server Test and some other tools, we will continue to monitor our services closely during this time.  

What you can do about it

To keep your information secure, we strongly recommend you update your password on our services.  

If you’re using any of our service’s APIs,  re-issue the credentials for your applications.

Please contact us if you’d like more details about what we have done with each of our services.


We installed the cipher suites supporting Perfect Forward Secrecy on our servers last August, which makes it impossible for an attacker to read old encrypted communication with a stolen encryption key. Such mitigation has also been adopted by services such as Twitter and GitHub. We will keep updating our security system to ensure the maximum safety of our services.  

Gain skills, learn strategies, move projects forward

Collaborate and bring your projects to life with Nulab

Learn more