Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

mail_open
Mandrill Hacked???
Avatar
Ben
Member
April 9, 2014 - 10:22 pm
Member Since: October 16, 2013
Forum Posts: 264
sp_UserOfflineSmall Offline

just received this email….
System Alert: OpenSSL Heartbleed Security Vulnerability

On Monday, the OpenSSL project released an update to address a serious security vulnerability nicknamed “Heartbleed”. This vulnerability impacts the encryption used for internet communications and could allow access to decrypted HTTPS traffic. Like many service providers, once Mandrill became aware of Heartbleed, we moved to address, and evaluate the impact of, this vulnerability. We know that our users share our concern for security and privacy, so we want you to be aware of the specifics of Heartbleed vulnerability as it relates to Mandrill.

Impacted services
First and foremost, we have no evidence that the Heartbleed vulnerability was used to obtain any Mandrill data or to access Mandrill services.
Mandrill’s relay and application servers were using affected versions of OpenSSL. Patches have been applied to all impacted servers, a process which was completed and confirmed by 14:00 UTC on April 8th. Although Mandrill utilizes Amazon EC2, we don’t use the disk images provided by Amazon that were found to be affected. Nevertheless as a precaution, we’ve replaced our private key and SSL certificate since it’s plausible that Mandrill’s certificates could have been exposed.
What you should do
While there’s no indication that Mandrill user data has been impacted, we strongly recommend that users update their Mandrill account passwords. Since API Keys are used for accessing your account via the API and SMTP, we also recommend deactivating old keys and replacing them with new keys.
Many of our users have sites or applications hosted which store their Mandrill credentials or other sensitive data. So, we also recommend auditing all services you may use to determine if they are also vulnerable, taking steps to repair any vulnerable services, and replacing SSL certificates once the vulnerability has been removed.

Benni Blanco, from the Bronx.

Avatar
Matthew Ogborne

Founder
April 10, 2014 - 7:24 am
Member Since: July 18, 2013
Forum Posts: 4565
sp_UserOfflineSmall Offline

Hi Ben,

It’s not just Mandrill its everywhere.

OpenSSL is heavily used, many, many, many others sites are affected.

Hat-tip to the Mandrill team for letting their users know!

See http://heartbleed.com/

Matt

"Selling an item online is easy, but making living from a business that sells online, well that’s something different entirely!"

Ultimo Magento Theme

Avatar
Matthew Ogborne

Founder
April 10, 2014 - 7:40 am
Member Since: July 18, 2013
Forum Posts: 4565
sp_UserOfflineSmall Offline

Hi Ben,

See here for a list of sites affected and not affected.

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

PayPal & eBay appear not to be in the list.

Matt

"Selling an item online is easy, but making living from a business that sells online, well that’s something different entirely!"

Ultimo Magento Theme

Avatar
Jim @ Moogento
Global

Partner
March 23, 2015 - 12:21 am
Member Since: November 7, 2013
Forum Posts: 688
sp_UserOfflineSmall Offline

Mandrill also just emailed a few days ago to say they had been hacked again, and lost potentially emails but not contents of emails.

I guess email aggregators/services are always going to be a big juicy target for hackers, but I trust the Mandrill crew, I still recommend that above others for Magento outbound emails.

My favorite part is being able to login to their remote standalone site and see exactly the content of emails that have been sent from my site. (A lot cleaner than bcc to another gmail account, or a filtered folder in your main account).

  • pickPack - smarter Magento packing sheets and warehouse picklists
  • shipEasy - process multiple orders with no sweat & get a visual sales overview easily

 

Why Should You Join UnderstandingE?

 
  • Access to over 500 step-by-step video tutorials
  • +20 video courses available
  • Magento, M2E Pro, Magmi, eBay, Amazon & Design all covered
  • Everything is in 100% Plain English
  • Learn how to build your own multi-channel software for eBay & Amazon
  • Access to the community forums, meet fellow business owners like yourself

Join Now with 2 Clicks

 

Join now for less that £1 per day you can gain access to over 400 step-by-step video tutorials & learn how to build your very own multi-channel software.

 

Forum Timezone: Europe/London

Most Users Ever Online: 1012

Currently Online:
16 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Jim @ Moogento: 688

Steve Froggatt: 514

Badeth - UE: 513

Jimbob: 453

Paul Cartwright: 414

Forum Stats:

Groups: 6

Forums: 37

Topics: 5223

Posts: 27502

Administrators: Matthew Ogborne: 4565, Dave Furness: 4606