On April 7, 2014, a serious vulnerability known as Heartbleed (CVE-2014-0160) was disclosed in the OpenSSL cryptography library, affecting many popular software packages and Internet services. The vulnerability could potentially be exploited to steal sensitive data such as encryption keys and user passwords. We have no evidence that any DNAnexus customer data or credentials were compromised using this vulnerability. However, out of an abundance of caution, we have taken the following steps below and will continue to implement security actions in response to this event.
At DNAnexus, the security of our clients is our top priority. As soon as the vulnerability was disclosed, we started identifying services on our platform that were affected. All such services were patched to eliminate the vulnerability within 8 hours after it was initially disclosed. After this initial response, we started a thorough analysis of how our systems and the security of our clients could have been affected.
At this time, we have no reason to believe any customer data or credentials were compromised using this vulnerability. Moreover, none of our services that handle genomic data were directly vulnerable. However, services that handle credential information were affected. The nature of this attack makes it hard to detect, and therefore we have decided to take the following precautions:
To minimize the risk of compromise of your account from possible attacks including this one, we also recommend turning on Two-Factor Authentication (2FA) on the DNAnexus platform, or cycling it if it was already on. Follow these steps:
We welcome customer feedback – if you have any questions or comments about our security practices, please reach us at support@dnanexus.com.