Last week a security vulnerability known as “Heartbleed" was announced that impacted a large number of internet services which use a piece of Open Source Software called "OpenSSL". Unfortunately this vulnerability made it possible for attackers to potentially gain sensitive information from any system that used OpenSSL including usernames and passwords. We are happy to report however that this bug did not impact DIY users’ credit card verification and billing information.
DIY is one of the many services that use OpenSSL, and within 24 hours of the vulnerability being announced we had patched our servers. We have also rotated our private keys to ensure the security of everything served over diy.org and our iOS app.
While we have no indications that DIY user information was leaked, we recommend that you take the following steps to ensure that your DIY account is safe:
- Change the password on your DIY account
- Update the DIY iOS app to the latest version (2.5.3)