CanadaHelps’ Response to CVE-2014-0160 (Heartbleed)

April 14, 2014: This post has been updated to reflect the most up-to-date information available.

The security of our CanadaHelps Donors and Charity partners is of the utmost importance to us.

We wanted to take a moment to address how the team at CanadaHelps rapidly responded in light of the April 7th disclosure of CVE-2014-0160, better known as Heartbleed, a security vulnerability that impacted nearly all service providers on the Internet.

What did CanadaHelps do about it?
CanadaHelps’ Chief Technology Officer and Web Operations Team immediately completed a comprehensive security review as a direct response to the situation. We stopped using the impacted software, and while there was no evidence that our https certificate was compromised, we prudently replaced it anyway.

Am I at risk?
Our internal investigation showed no evidence that any CanadaHelps user or account credentials were compromised.

Many service providers on the internet were affected by this vulnerability; however, the risk this vulnerability posed to CanadaHelps donors is low.

It is good practice to occasionally change your password on all the websites you use on a regular basis. As an extra precaution, we recommend you change your CanadaHelps Account password at this time.

We take your online security seriously. We are confident that we have taken the necessary steps to eliminate this vulnerability and protect your personal information.

If you still have questions, please contact our customer support team at 1-877-755-1595 or email info@canadahelps.org.

Sincerely,

The CanadaHelps Team

Share This Page

  Share your giving story!

Want to share your insights and be featured on the Giving Life Blog?

Leave a Reply

Your email address will not be published.

One Response to “CanadaHelps’ Response to CVE-2014-0160 (Heartbleed)”

  1. Duncan McLean

    Your heart bleed advisory is pretty standard fare. “No signs, all patched now”. As this form of capturing server memory snip-its left NO trace afterwards, what did you expect to see? It would be more honest if organizations gave the dates from when to when during which their servers were using the vulnerable SSL. And then the specific extent of the data that was open to captured during that period. Easy to change your password. Not so much your identity.

     •  Reply