The Heartbleed bug (officially referenced to as CVE-2014-0160) was discovered on Monday by researchers at Google Inc. and Codenomicon, a Finnish security firm.
The bug was found in an open-source software called OpenSSL, which is used by two-thirds of all web servers for email, instant messaging, and to secure virtual private networks for internal communications. It essentially enables a hacker to steal data from a server, including usernames, passwords, credit card numbers, private keys sites use to encrypt and decrypt data, and other sensitive information.
SSL is an encryption technology generally identified by a small, closed padlock icon and URL that begins with “https:” on web servers to indicate web site traffic is secure.
Security researchers say, according to the Epoch Times, the threat remained undiscovered for more than two years. It is unknown whether anyone used this vulnerability to attack any servers during that time, as exploitation of this bug leaves no outside trace.
Because of our configuration and the volume of our service, the risk for Erado is low compared to other impacted service providers. We have no evidence of any breach. Regardless, we are addressing this situation with the highest care and priority. Our security team responded immediately to install the upgrade that was made available earlier this morning. As of 2 p.m. PST, all Erado owned and managed servers have been successfully upgraded.
Most major service providers should already be updating their sites, so the bug should be less prevalent over coming weeks.
Best security practices recommend that you change your password every 90 days. In relation to this incident and to mitigate any potential risk of compromise, we recommend changing your password sometime between April 11 – April 18. We would further suggest creating a reminder in your calendar to change your password again every three months.
For more information, go to the statement posted by the Open SSL project.