Security Update: Heartbleed Bug

April 9, 2014. Due to the widespread Internet security vulnerability, nicknamed Heartbleed, ORCID has taken immediate steps to ensure the security of user accounts. This vulnerability is related to a cryptography library used to encrypt a large majority of traffic on the Internet. Information that is susceptible to attack includes private server keys, SSL certificates, and user session information. After a thorough review, we have no indication that any attack has been used against any account, and are continuing to monitor the situation closely.

What is ORCID doing about Heartbleed? As of April 9, 2014 our team had patched openssl across all of our servers on the public facing internet. After confirming that the patch was successful and that no ORCID domain was susceptible to attack, we replaced our SSL certificates and reset all user sessions. Although we believe API keys were not affected, as an extra precaution we are working with users of our Member API to reset API credentials

Extra precautions that you can take. If you would like to take extra steps towards protecting your information, we recommend resetting your password, using a password unique from those used on other sites. We have no information that would indicate that any ORCID account has been attacked, but it’s always a good idea to keep your passwords fresh. We hope this answers any question that you have regarding this bug and the steps we’ve taken, and if there is any concern, please feel free to contact us.

For more information about ORCID's security policies see: How do you keep the ORCID Registry secure?