We Take Security Seriously
At Action Network, we take security seriously. As an ally and a partner with the progressive movement, a movement that went through significant data breaches last year, we work to implement best security practices in ourselves and help build those practices throughout the movement. We’ll be doing more and more of that throughout the year, helping progressive secure their data and learn how to take the right precautions with their digital lives.
Today is a great example. There was an issue at CloudFlare — an industry-leading service we use as part of our technology stack — that was extremely unlikely to have any effect on us. It would be the reverse equivalent of winning the Powerball lottery to have any of our users affected by this leak. But whenever there’s a question, we err on the side of caution, even when the possibility is extremely remote. Especially when the action users should take — like resetting their passwords — is something they should be doing periodically anyway.
So Jason Rosenbaum, our Director of Technology, sent this email to all of our users:
Yesterday a software bug was disclosed affecting Cloudflare, a service Action Network uses. This bug had the potential to leak sensitive information like passwords or API keys to the public. While right now we do not believe Action Network was affected, it’s impossible to say for certain.
So, we’re writing you out of an abundance of caution to recommend you log out of Action Network, reset your account password using the password reset form on the log in page, log back in, and, if you use the Action Network API, revoke and re-issue any API keys you use from the API & Sync section in the Start Organizing menu. After you’ve done that, your data should be safe from any impact this bug may have.
You can find a balanced rundown of the bug here. Cloudflare’s detailed description of the bug can be found here. A report from Google, who’s security researchers initially found the bug, is here.
Once again, we have no evidence that any Action Network data was affected by this bug. If we receive updates as the situation develops, either proving our data was affected or firmly showing us it was not, we will let you know. However, we treat security very seriously, so out of an abundance of caution, logging out, resetting your password, and revoking and recreating your API keys will prevent any secrets potentially disclosed from being used to access your data without your permission. (We also recommend enabling 2-factor authentication, available when editing your profile, for an extra layer of security.)
If you have any questions, feel free to reply to this email. Your reply will reach me personally.
Thank you for being an Action Network partner,
It would’ve been easy to ignore this issue. Like I said, the chance of any actual harm was extremely remote. But best practices and data integrity are a full-time focus for us, and we think our partners should have every opportunity to protect their accounts.