On April 7th (yesterday), a new zero-day vulnerability in OpenSSL was revealed, dubbed the “Heartbleed“ exploit. It allows the attacker to read a random 64-kilobyte section of memory from any server accepting SSL connections with a compromised version of OpenSSL. We’ve patched the vulnerability in our service and taken steps to avoid further information leakage.
Like many other sites, we use Amazon Web Services’ Elastic Load Balancers and Cloudfront distributions to carry out our SSL termination. Both of these services were running OpenSSL versions that were vulnerable to Heartbleed. Our particular load balancers and distributions were patched this morning by 7:30am PST.
We’re taking a number of additional steps to make sure your information is kept safe and secure.
- We’ve generated new private keys for all of our SSL certificates and updated them. We updated the certificates shortly after detecting that our ELBs had been patched.
- We’ve reset all user sessions for Segment.
- We’re in the process of revoking our old certificates.
We don’t have any reason to believe that Segment was actually a victim of any malicious activity. However, due to the nature of the bug, there’s no way to guarantee that an attacker didn’t try and gain access to private information. If you’d like to be extra cautious, we recommend resetting your Segment password.
We take your security and privacy extremely seriously, and we’ll continue to do our best to be as transparent as possible. If you have any questions or concerns, don’t hesistate to email us at email@example.com.