On April 7th, 2014 a serious new security vulnerability in the OpenSSL library called “Heartbleed” was publically revealed. OpenSSL is a cryptographic library that many estimate 66% of all Internet websites use to secure information.
TunnelBear websites and servers were also vulnerable to the bug. Within hours of the public announcement, TunnelBear updated OpenSSL and revoked/replaced our certificates. We have also pushed updates to our OSX, PC and Android apps.
What were the risks before TunnelBear Updated OpenSSL and Apps?
Although unlikely, it’s theoretically possible a sophisticated attacker could have captured email addresses or passwords. It’s also possible, that a very well-resourced attacker could have used the Heartbleed bug to steal TunnelBear’s private key and intercept your secure communications. To be clear, there is currently no evidence that is the case.
What are the risks today?
If you are just joining TunnelBear, you have absolutely no risk, Heartbleed has been fully addressed.
If you are an existing TunnelBear user, we recommend you follow the extra pre-cautionary instructions below to eliminate even the most remote threat of Heartbleed affecting you.
What do I need to do?
- Although TunnelBear automatically updates, double-check you have updated to the latest version of TunnelBear. The latest versions of TunnelBear are:
- Change your TunnelBear password (https://www.tunnelbear.com/passwordReset/)
What about TunnelBear for iPad/iPhone?
This bug does not affect TunnelBear for iPad and iPhone. However, once you change your password, you will need to download a new profile on your iOS device. Here are the instructions on how to delete the existing profile and install a new profile.
TunnelBear is Serious About Your Privacy
TunnelBear responded quickly to the Heartbleed vulnerability and updated affected systems and applications within hours. While we like to have funny bear-graphics on our site, we take our commitment to your online privacy very, very seriously.