Like many websites, Pushover’s servers were vulnerable to the recently discovered OpenSSL bug CVE-2014-0160, also known as “Heartbleed”. All of Superblock’s servers, including those for Pushover, were quickly patched to fix this bug by the evening of Monday, April 7. As a precaution, we expired all user sessions and created a new session encryption key for pushover.net once the bug was patched.
Once it became verified that private SSL keys could be extracted, we also requested and installed a new SSL certificate for *.pushover.net this morning, Saturday, April 12. We have requested revocation of our old certificate as well.
While we do not have any evidence that this security vulnerability was used to gain access to any of our user accounts or that our private SSL key was ever extracted, we encourage users to update their Pushover password at https://pushover.net/settings. Users concerned about their user keys or application API tokens can contact us for manual regeneration of these tokens.
As always, please feel free to contact us with any questions or comments.