On April 7, 2014 a critical vulnerability in the OpenSSL cryptography library was announced as CVE-2014-160, otherwise known as the heartbleed bug. This vulnerability allows stealing the information protected under normal conditions by the SSL/TLS encryption used to secure the Internet. Information that is susceptible to attack includes private server keys, SSL certificates, and user session information.
After a thorough review, we have no indication that any attack has been used against any uservoice.com account or subdomain, and are continuing to monitor the situation closely.
What we are doing about it
As of April 8, 7:43 am PST, our engineering team had patched openssl across all of our servers on the public facing internet. After confirming that the patch was successful and that no UserVoice domain was susceptible to attack, we proceeded to replace all private server keys in our infrastructure. We’ve also replaced our SSL certificates and are in the process of revoking our old certificates. We’ll be reaching out separately to those customers that have hosted SSL certificates with us.
Additionally, we will be forcefully resetting all user sessions this afternoon which will require logging back into our app. We’re taking this step as an extra precaution to protect your sensitive information.
Extra precautions that you can take
If you would like to take extra steps towards protecting your information, we would recommend resetting your password and api tokens. Once again, we have no information that would indicate that any UserVoice account has been attacked, but it’s always a good idea to keep your passwords fresh.
We hope this answers any question that you have regarding this bug and the steps we’ve taken, and if there is any concern, please feel free to contact us at firstname.lastname@example.org.
Key photo courtesy of Kris Krug