Note: In SuccessWhale versions prior to v3.0.4, passwords were stored using the weak MD5 algorithm. v3.0.4 upgrades this to use the much more secure bcrypt algorithm, but as a side-effect users' previous passwords can no longer be used for login. If you are affected by this, please log in using Twitter or Facebook, then recreate your alternative login credentials from the Config page.

There is no evidence that the SuccessWhale database was compromised at any point, so there is no need to change your passwords.

Privacy

SuccessWhale is a Twitter and Facebook client — to use it, you must give it access to the Twitter and Facebook accounts you would like to use it with. This process is done using OAuth, which means that at no point does SuccessWhale see your Twitter or Facebook passwords.

We ask the services for the following permissions. For Twitter:

For Facebook:

SuccessWhale doesn't do anything with your accounts unless you ask it to.

Aside from access tokens for these services, SuccessWhale stores your user preferences, such as your column setup and preferred theme. It does not store any personal data, and does not log your activities.

At any time, you can disconnect one or more of your accounts from SuccessWhale, which will prevent SuccessWhale from accessing them. You may also delete all your SuccessWhale data at once if you leave the service, which will remove all accounts and user preferences. No records of your account will be retained.

Security

SuccessWhale is a Javascript-based web application that communicates with an API. All this communication is conducted using HTTPS, and the web application is also available via HTTPS. (Please note that I do not have a CA-signed certificate for the successwhale.com domain. SuccessWhale is hosted on my own server using a self-signed certificate. This means that your browser is likely to warn you when visiting https://www.successwhale.com that the connection is untrusted. If you prefer to avoid this potential issue, the application can be accessed at https://successwhale.heroku-app.com.)

Authentication between the web application and the API uses a complex token string stored in a cookie on your computer. You must therefore allow cookies from SuccessWhale's domain in order to use it.

The token string remains valid for one month once it is generated. After a month, the token becomes invalid and the user must log in again to continue using SuccessWhale.

For users who often use networks that block Twitter and Facebook, SuccessWhale offers an alternative method of logging in (other than authenticating with one of those services). SuccessWhale users can create a username and password with which they can authenticate directly with SuccessWhale. When creating an alternative login and when using it to log in, the password is only ever transmitted over HTTPS. On the server side, passwords are salted and hashed using bcrypt before being added to the database.