As you are most likely aware by now, the recent Log4j vulnerability has affected many companies. After the exploit was made public on December 10th, our engineers immediately began a thorough investigation to determine if our systems were vulnerable.
We do not use Java or Log4j in our products, including Postmark. We did, however, identify an internal system that was vulnerable. A component of our logging system uses Log4j to ingest logs and transfer them to a searchable database that is used internally by our staff. We immediately shut down this system and rebuilt it with a version of Log4j that is not vulnerable.
This logging system does not have access to customer credentials (including passwords and payment information), API keys, or templates, although some log messages do include headers from emails sent by Postmark. That said, we conducted a deep review of the affected system over the past few days and there is no evidence that suggests unauthorized access of any kind.
We will continue to remain vigilant and investigate this incident further, and will update this post if we find any additional information or evidence of unauthorized access. If you have any questions, please reach out at any time. We’re here to help.