You’ve no doubt heard about Heartbleed, the security flaw that exposed personal information at many leading websites. The flaw was in OpenSSL, an open-source version of the SSL protocol that is used to encrypt transmissions between you and a website. The flaw created a vulnerability that could have exposed sensitive information. The vulnerability affected several leading Internet companies, including Google, Yahoo and Netflix.
It made me wonder how many companies that cater to the legal profession were affected. I’ve collected a bit of information here. If you know of others, please let me know or add a comment below. If you are unsure about whether a site was vulnerable, LastPass has a Heartbleed checker where you can enter a URL and sometimes get an answer. For a good overview of Heartbleed, see this New York Times Q&A, Aaron Street’s excellent Lawyerist post, or the Heartbleed site.
Most of the sites that were affected have now installed patches to fix the problem. If a site you use was affected, find out if it has been patched. Once it has, log in and change your password.
Before I get to legal sites, note that two document-sharing sites lawyers frequently use — Box and Dropbox — are among those that were affected. If you use either, be sure to change your password. Another site popular with lawyers, Evernote, was not affected. (Mashable has a list of the major websites that were and were not affected.)
Among legal sites, here are some that I have confirmed did use OpenSSL:
- Mootus. Mootus says it has no reason to believe any data was compromised. It took immediate steps to patch the bug and install a new SSL certificate.
- Estate Map. Immediate action was taken to patch the bug and reissue its SSL certificates, among other actions. (But see my Saturday post about Estate Map shutting down.)
- MyCase. “We responded immediately and notified out customers virtually immediately as well, I think quicker than any other company I have seen,” CEO Matt Spiegel told me. They had patched the software and reissued their SSL certificate with 24 hours.
- Clio. Clio posted a notice on its site saying that it “worked tirelessly to patch and secure all systems affected by the Heartbleed bug” and that it has “no evidence that customer information was compromised.”
And here are the ones that I know were NOT affected:
- LexisNexis Firm Manager. Even though it was not affected, it sent an email to users as an extra precaution suggesting they change their passwords. It also cancelled and reissued its SSL certificates. Christopher Anderson, product manager for Firm Manager, said in an email: “This type of exploitation does not and did not pose any threat to the Firm Manager database, and all customer and client data remains secure. Additionally, it is important to note that Firm Manager data is also encrypted at rest, to further secure that data against any database incursion (which has not happened).”
- Rocket Matter. It does not run OpenSSL, according to CEO Larry Port.
- Fastcase. Fastcase does not use OpenSSL, according to CEO Ed Walters.
- Casemaker. It was not affected by the Heartbleed vulnerability.
- Thomas Reuters Firm Central.
- Westlaw.
- DiligenceEngine. Does not use OpenSSL.
I have reached out to other companies and will provide updates here if I hear back from them. Meanwhile, if you know of others, please add them as a comment below.