AO3 News

Post Header

2014-04-09 08:54:04 UTC

As many of you are aware, the Heartbleed Bug is a serious vulnerability in the OpenSSL software library. It is possible for people to gain access to information from vulnerable sites that would allow them to impersonate those sites in order to obtain sensitive data. With some smaller sites, it may be possible to acquire user names and passwords directly.

Two stick figures discuss the data that could be revealed by the Heartbleed vulnerability, including keys, emails, passwords, and erotic fanfiction
Comic courtesy of xkcd

Fortunately, our Systems team has investigated and determined that we have never run a version of OpenSSL on our web servers which is vulnerable to this attack. They have also upgraded OpenSSL and restarted the application on our application servers, even though it should not be possible to exploit any vulnerabilities on those systems.

Login information used only on the Archive should be safe. If you also use the same information on other sites, it would be a good idea to change it. Keep in mind that you shouldn't change your password on a site until after you know that they've fixed the vulnerability. You can check the status of a site with this Heartbleed test.

As always, our volunteers will do their best to keep your information safe and alert you to any vulnerabilities as soon as possible.