We’ve been spending the last two days auditing and responding to the OpenSSL vulnerability that’s known as Heartbleed. This bug is notable because it is widespread (around 70% of the Internet uses Apache and Nginx, and by extension, OpenSSL) and can cause disclosure of sensitive data, including private keys and passwords. The issue has been assigned the following CVE identifier: CVE-2014-0160.
On Tuesday, April 8th, our initial action was to promptly begin applying security updates as they became available for the varying types of systems we use. As a precaution, we also cleared all logged in sessions for all accounts and users, this required everyone to login again.
We’ve audited our systems and currently have no indications of any unauthorized access, however as a precaution, we rekeyed and reissued all of our SSL certificates.
Out of an abundance of precaution, we do recommend resetting your password. Also, you can reset your API key. It’s easy in Postmark, go to your Server > Credentials tab > Generate a new Key.
We know this is affecting an incredible amount of apps and websites, many run by our own customers. If we can help you based on our own knowledge, please get in touch. And of course, if you have any concerns, please email support.