On April 7th, a major web vulnerability called “Heartbleed” was disclosed to the internet. This vulnerability affected a popular security library called OpenSSL, and as a result it affected the security of a large number of sites on the internet, including Splitwise. (A good rundown of who was affected can be found here.)
Shortly after noon on April 8th, the bug was patched on all of our servers. We also issued a new SSL certificate for splitwise.com and initiated the expiration of our old SSL certificate. As a result, we are no longer vulnerable to Heartbleed.
We have no reason to believe that any Splitwise user data was compromised via the Heartbleed vulnerability or that we were the target of an attack, but we are continuing to monitor for any unusual behavior. In addition, we’ve taken this opportunity to implement a few additional security measures, to update passwords for important server components, and to generally review how we respond to security issues.
In summary:
1. The Heartbleed bug was patched shortly after 12pm EDT on Tuesday, April 8th. We issued new a SSL certificate a few hours later, and also revoked our old certificate.
2. As a precaution, we are logging out all users who visited the Splitwise website on April 7th and 8th.
3. Changing your password is recommended as a precaution, especially for users who logged in or created an account during the affected period. You can also log out of all your existing Splitwise sessions by clicking here.
The Splitwise Blog 