just received this email….
System Alert: OpenSSL Heartbleed Security Vulnerability
On Monday, the OpenSSL project released an update to address a serious security vulnerability nicknamed “Heartbleed”. This vulnerability impacts the encryption used for internet communications and could allow access to decrypted HTTPS traffic. Like many service providers, once Mandrill became aware of Heartbleed, we moved to address, and evaluate the impact of, this vulnerability. We know that our users share our concern for security and privacy, so we want you to be aware of the specifics of Heartbleed vulnerability as it relates to Mandrill.
First and foremost, we have no evidence that the Heartbleed vulnerability was used to obtain any Mandrill data or to access Mandrill services.
Mandrill’s relay and application servers were using affected versions of OpenSSL. Patches have been applied to all impacted servers, a process which was completed and confirmed by 14:00 UTC on April 8th. Although Mandrill utilizes Amazon EC2, we don’t use the disk images provided by Amazon that were found to be affected. Nevertheless as a precaution, we’ve replaced our private key and SSL certificate since it’s plausible that Mandrill’s certificates could have been exposed.
What you should do
While there’s no indication that Mandrill user data has been impacted, we strongly recommend that users update their Mandrill account passwords. Since API Keys are used for accessing your account via the API and SMTP, we also recommend deactivating old keys and replacing them with new keys.
Many of our users have sites or applications hosted which store their Mandrill credentials or other sensitive data. So, we also recommend auditing all services you may use to determine if they are also vulnerable, taking steps to repair any vulnerable services, and replacing SSL certificates once the vulnerability has been removed.
Benni Blanco, from the Bronx.
It’s not just Mandrill its everywhere.
OpenSSL is heavily used, many, many, many others sites are affected.
Hat-tip to the Mandrill team for letting their users know!
See here for a list of sites affected and not affected.
PayPal & eBay appear not to be in the list.
Mandrill also just emailed a few days ago to say they had been hacked again, and lost potentially emails but not contents of emails.
I guess email aggregators/services are always going to be a big juicy target for hackers, but I trust the Mandrill crew, I still recommend that above others for Magento outbound emails.
My favorite part is being able to login to their remote standalone site and see exactly the content of emails that have been sent from my site. (A lot cleaner than bcc to another gmail account, or a filtered folder in your main account).
Why Should You Join UnderstandingE?
- Access to over 500 step-by-step video tutorials
- +20 video courses available
- Magento, M2E Pro, Magmi, eBay, Amazon & Design all covered
- Everything is in 100% Plain English
- Learn how to build your own multi-channel software for eBay & Amazon
- Access to the community forums, meet fellow business owners like yourself
Join Now with 2 Clicks
Join now for less that £1 per day you can gain access to over 400 step-by-step video tutorials & learn how to build your very own multi-channel software.
Most Users Ever Online: 1012
Currently Browsing this Page:
Jim @ Moogento: 688
Steve Froggatt: 514
Badeth - UE: 513
Paul Cartwright: 414
Administrators: Matthew Ogborne: 4565, Dave Furness: 4606