OpenSSL Heartbleed Security Vulnerability

We've been spending the last 36 or so hours auditing and responding to the OpenSSL vulnerability that's known as Heartbleed. This bug is notable because it is widespread (around 70% of the Internet uses Apache and Nginx, and by extension, OpenSSL) and can cause disclosure of sensitive data, including private keys and passwords. The issue has been assigned the following CVE identifier: CVE-2014-0160.

On Tuesday, April 8th, our initial action was to promptly begin applying security updates as they became available for the varying types of systems we use. As a precaution, we also cleared all logged in sessions for all accounts and users, this required everyone to login again to Beanstalk, Postmark and Dploy.io.

We've audited our systems and currently have no indications of any unauthorized access, however as a precaution, we rekeyed and reissued all of our SSL certificates. Because of the SSL certificate update, if you're using SVN you will most likely have to accept the new certificate next time you connect to the repository.

For Postmark users: to set you more at ease, please feel free to rotate your API key. It's good practice anyway and is super easy to do within our UI. Additionally for all products, it's always a good idea to update your account password on a routine basis.

We know this is affecting an incredible amount of apps and websites, many run by our own customers. If we can help you based on our own knowledge, please get in touch. And of course, if you have any concerns, please email support.

Comments

Our products