We’ve recently had some questions regarding the the Heartbleed SSL bug and how this may have affected Actionstep users.
Firstly, Actionstep patched all servers within hours of the public disclosure of the vulnerability, and all SSL certificates were re-issued.
Secondly, the Heartbleed SSL bug could only be exploited when data was in transit to/from Actionstep’s servers. The data stored in Actionstep itself is safe.
Actionstep’s infrastructure leverages a middle layer where all SSL connections are handled before data is passed to the application layer which in turn talks to the backend databases and file storage systems.
Since that middle layer does not communicate directly with the backend services where all the data is stored, only in transit information was at risk. This includes anything that a user sent to/received from Actionstep servers during the time the bug was present.
Data that wasn’t accessed during that time was not at risk. However, as a precaution, we recommend users update their passwords.
For more information: Heartbleed SSL bug
A great article on the Heartbleed bug especially for lawyers: The Lawyerist
For a full list of sites that were affected: Mashable