Divshot and Heartbleed (CVE-2014-0160)

TL;DR: We've updated everything, user data was protected by the time it was announced. To be extra safe, you may want to change your password.

By now you've likely heard about Heartbleed, the OpenSSL vulnerability that allows attackers to access small bits of server memory. This can potentially expose sensitive information including passwords, emails, and private cryptography keys.

We take application security seriously at Divshot, and when we heard about the Heartbleed bug we carefully tracked the progress of patch rollouts with our infrastructure partners. Our API (the only one of our services that might leak user information) terminated SSL through CloudFlare who knew about the vulnerability a week in advance. Thanks to this, our API servers were already immune by the time the disclosure went public.

Once all of our infrastructure partners had updated OpenSSL, we created new private keys for our SSL certificates and had them re-issued on the unlikely chance that a private key had been leaked from one of our servers. As of today the new certificates have been rolled out across all of our services and hosted applications.

We do not believe that any sensitive user information was compromised or exposed as a result of the Heartbleed bug. However, as this vulnerability existed for nearly two years before it was discovered, we join other sites in encouraging an abundance of caution and change your Divshot password just to be safe. Again, we have no evidence or indication that any user data was affected.

If you have any questions, please feel free to reach out to us.