On April 7th, a new security vulnerability was announced in OpenSSL, a cryptography library used to secure most of the traffic on the internet. This vulnerability, commonly known as Heartbleed, allowed attackers to read parts of the system memory of a vulnerable server. Among other things, it could be used to read passwords, cookies, or the cryptographic keys used in secure communications.
Tadpole servers use OpenSSL, and although we have no reason to believe that any compromise occurred, the most prudent course of action is to change your passwords.
All our servers that were using the vulnerable version of Open SSL were patched quickly after the vulnerability’s announcement. We replaced all SSL certificates once we were sure that we were no longer vulnerable. We’ve since done a top-to-bottom review of all systems and believe that all concerns have been addressed.
The Heartbleed vulnerability was a near-unprecedented security event. It is estimated that hundreds of thousands of servers representing around 2/3rds of all internet services were also affected. You should check whether other sites and services you use were vulnerable, and consider resetting your password on all of them.
It’s a good practice to change your passwords frequently. How frequently? How about quarterly? If that sounds like a lot of work, why not think about using a secure password manager, such as LastPass, KeePass, 1Password? These tools are reasonably priced and give you an easy way to follow best practice guidelines for all your web accounts.