Late yesterday, a flaw in a very important piece of the secure Internet, secure sockets layer or SSL, was announced to the public.
The bug, called Heartbleed affects Internet servers that use certain versions of the OpenSSL libraries. An attacker could see small portions of server memory, including data that would normally be encrypted, including password data and SSL private keys.
We have been rolling out fixes to affected machines we control over the last 24 hours, and believe we have completed patching of all critical systems by 4pm yesterday.
News stories on the issue range from urging you to change important passwords to imminent armageddon. As usual the truth is somewhere in the middle.
Unless a provider tells you that their servers were affected you really have no idea of knowing if they were compromised.
What we recommend in this case is caution and selective corrective action. Some high profile websites that were affected in some part include Dropbox, Yahoo, Facebook, Google, Twitter and Microsoft, and credentials for some of those could be revealed through a buffer overflow. The ability to perform this attack was out in the wild from Monday morning, and fixes were deployed as late as 3pm yesterday. If you accessed one of those services in that timeframe, it is possible, but not necessarily likely, that your username and password for those services was recoverable by third parties. We would recommend changing your password for that service.
Over the next week, we will be re-issuing SSL certificates for a few servers as a precautionary measure.