OpenSSL vulnerability status update
We’ve spent last two days auditing and responding to the unprecedented OpenSSL vulnerability that is known as Heartbleed. This bug is notable because it is widespread (around 70% of the Internet uses Apache and Nginx, and by extension, OpenSSL) and can cause disclosure of sensitive data, including private keys and passwords. The issue has been assigned CVE identifier CVE-2014-0160.
On Tuesday, April 8th, our initial action was to promptly begin applying security updates as they became available for the varying types of systems we use. As a precaution, we also cleared all logged in sessions for all users and this required everyone to login again.
We’ve audited our systems and currently have no indications of any unauthorized access, however as a precaution, we rekeyed and reissued all of our SSL certificates. We also recommend our users to reset their passwords, just to be on the safe side.
If you are suspicious about any activity in your account, you can always download IP access logs for activity in your account. You can find it on Account -> Security page, available for account owners only.
We know this is affecting an incredible amount of apps and websites, many run by our own customers. If we can help you based on our own knowledge, please get in touch. And of course, if you have any concerns, please email support.