By now you may have heard about the heartbleed bug, which affected many websites that use encryption. This is the Spanish Flu of security bugs—it hit almost everyone and took a disproportionate toll on the healthiest, those sites that followed security best practices.
Servers affected by the bug (including the Pinboard site and API) could be tricked into sending private information that happened to be in memory. This included authentication cookies, passwords, secret API tokens, and any data you posted to the site. There is also evidence that the bug could expose a site's private key, which would mean anybody eavesdropping on a Pinboard connection could decipher it. The bug was live from the spring of 2012 until I patched the servers on Monday night.
Worst of all, there's no way to tell from logs if anyone's data was exposed. It's possible that no one looked at any Pinboard data; it's also possible that the site was completely compromised.
This morning, I issued a new TLS certificate for the site, with a new private key. Now that the servers are trustworthy, please do these two things:
Change your Pinboard password. Go to https://pinboard.in/settings/password and have at it.
Reset your API token. On that same page (https://pinboard.in/settings/password), click the reset button. You'll need to update any outside services and apps that use the API token to authenticate. (Remember never to share your Pinboard password with any third party, no matter how nicely they ask. Outside sites should be able to get all the access they need using only the API token.)
In layman's terms, the bug was the equivalent of asking a stranger "hey, what's up?" and having them tell you their most private thoughts, going on about their divorce, sharing their credit card info, whatever was on their mind at the time. You could keep asking "what's up" as often as you wanted, and hear new things each time. Worst of all, the stranger would have no recollection that it had happened.
Of course, I heard about heartbleed before it was cool. The servers were patched by around 7 PM on Monday night, California time, before half the Internet started casually playing with Python scripts that exposed the bug.
So only truly malicious people could have seen your Pinboard secrets. Hooray!
In awful times like these, it's good to stop and reflect on the timeless wisdom of the Pinboard security page:
"Please do not store truly sensitive information in your Pinboard account."
I don't want anyone getting shot because I used the wrong Linux distro.
This is terrible! Good luck out there! Please feel free to email me if you have questions, or concerns, or would just like to kvetch.
—maciej on April 09, 2014
Pinboard is a bookmarking site and personal archive with an emphasis on speed over socializing.
This is the Pinboard developer blog, where I announce features and share news.
How To Reach Help
Send bug reports to bugs@pinboard.in
Talk to me on Twitter
Post to the discussion group at pinboard-dev
Or find me on IRC: #pinboard at freenode.net