The Heartbleed Bug (CVE-2014-0160)
On April 7, 2014 at about 17:30 UTC, security researchers announced a serious bug in the OpenSSL software. OpenSSL is the most popular open source cryptographic library and Transport Layer Security (TLS) implementation used to encrypt traffic on the Internet. Regardless if you are browsing the web, using online banking, sending and receiving emails, chatting, connecting to your office via a Virtual Private Network (VPN) or logging in to your fancy new internet connected teapot, there's a huge chance that OpenSSL is taking care of an encrypted connection for you.
The discovered vulnerability (CVE-2014-0160 also colloquially known as 'The Heartbleed Bug') allows an attackers to retrieve chunks of secure communications and in the worst case even the secret keys used for encrypting the data and identifying the service provider.
On the scale of 1 to 10, this is an 11. - Bruce Schneier
Heartbleed and fruux
No evidence that data was compromised
When information about the bug became public on April 7, we've immediately started analyzing the vulnerability by attacking our own servers. We've discovered that our load balancers (systems that take care of splitting up requests to multiple backend servers) were vulnerable, but we have no indication that any data was compromised. While attacking our own systems, we couldn't exploit the vulnerability to gain access to our private keys.
Additional security via Perfect Forward Secrecy (PFS)
We're also using Perfect Forward Secrecy (PFS) since a while which protects past communications from retrospective decryption even if our keys were compromised - which we have no evidence for and also couldn't get access to attacking our systems ourselves.
What actions have been and should be taken?
We prefer to be better safe than sorry and that's why we've replaced all of our private keys and SSL certificates after the vulnerability was mitigated on April 8, 2014 anyway. We have an A+ rating in the Qualsys SSL Server Test. Don't take our word for it - check it yourself. Regardless, it's always good practice to change your passwords from time to time - looking at the Heartbleed bug we recommend that you take from time to time as now and change your password.
What about other services?
OpenSSL is so widely used, that there is a huge chance that other services you are using have been affected by the Heartbleed bug. Before logging in anywhere, we strongly recommend to check if the vulnerability has been mitigated and if the service has replaced its private keys and SSL certificates as a security measure. Tools such as Qualsys SSL Server Test, Heartbleed test or the bleed command line tool can be used to test servers for the vulnerability. If the service you are testing is not vulnerable and you are sure that private keys and SSL certificates have been replaced, you should change your passwords there, too.