Note: In SuccessWhale versions prior to v3.0.4, passwords were stored using the weak MD5 algorithm. v3.0.4 upgrades this to use the much more secure bcrypt algorithm, but as a side-effect users' previous passwords can no longer be used for login. If you are affected by this, please log in using Twitter or Facebook, then recreate your alternative login credentials from the Config page.
There is no evidence that the SuccessWhale database was compromised at any point, so there is no need to change your passwords.
SuccessWhale is a Twitter and Facebook client — to use it, you must give it access to the Twitter and Facebook accounts you would like to use it with. This process is done using OAuth, which means that at no point does SuccessWhale see your Twitter or Facebook passwords.
We ask the services for the following permissions. For Twitter:
- To post as you
- To read your timelines
- To read your private messages
- To update your status
- To publish to your wall
- To read your feeds and wall
- To manage your notifications
- To see your groups
- To see your photos
- To see your friends' photos
- To access your account without needing authorisation every time
SuccessWhale doesn't do anything with your accounts unless you ask it to.
Aside from access tokens for these services, SuccessWhale stores your user preferences, such as your column setup and preferred theme. It does not store any personal data, and does not log your activities.
At any time, you can disconnect one or more of your accounts from SuccessWhale, which will prevent SuccessWhale from accessing them. You may also delete all your SuccessWhale data at once if you leave the service, which will remove all accounts and user preferences. No records of your account will be retained.
Authentication between the web application and the API uses a complex token string stored in a cookie on your computer. You must therefore allow cookies from SuccessWhale's domain in order to use it.
The token string remains valid for one month once it is generated. After a month, the token becomes invalid and the user must log in again to continue using SuccessWhale.
For users who often use networks that block Twitter and Facebook, SuccessWhale offers an alternative method of logging in (other than authenticating with one of those services). SuccessWhale users can create a username and password with which they can authenticate directly with SuccessWhale. When creating an alternative login and when using it to log in, the password is only ever transmitted over HTTPS. On the server side, passwords are salted and hashed using bcrypt before being added to the database.