Security Update: Pocket & the Heartbleed Exploit

You may have heard about a recent internet-wide security vulnerability that has been discovered. Known as “Heartbleed“, this vulnerability was found in a popular technology, OpenSSL, that many services like Pocket use to transport private information across the internet securely.

After learning about this vulnerability, we immediately took action and are able to confirm that Pocket is no longer vulnerable.

Here are the steps we took:

  • Quickly patched the issue by deploying updated OpenSSL libraries on our servers
  • Revoked and renewed all of our SSL certificates

These fixes were in place as of 9pm PT on Tuesday, April 8th (4:00 UTC on Wednesday, April 9th).

Moving forward, we strongly recommend that all Pocket users reset their passwords to ensure their data is secure. Click here to change your password.

Users who want to be extra careful can revoke all access tokens from the official Pocket apps as well as third-party integrations. Please note that this will disconnect your Pocket account from all apps, and require that you log in again. Your saved items will be automatically re-downloaded. Click here to remove access from apps.

It’s very likely that this vulnerability affects other services you use and love, and therefore we suggest changing your password on a broader scale to stay safe. For more information about the Heartbleed vulnerability, visit http://heartbleed.com/.

If you have any questions or concerns, we welcome you to email us at security@getpocket.com.