A vulnerability came to light Monday that affects a significant number of websites and services. Known as “Heartbleed,” this vulnerability affects certain versions of a technology used to encrypt data during transmission; OpenSSL. Aside from its catchy name and “logo”, its far reaching impact has captured the attention of the world, triggering thousands of articles, blog posts (including this one), and tweets. If you want a pretty good one stop source of information about the vulnerability, you can go to this website dedicated to it.
What has OneLogin done about Heartbleed?
OneLogin takes all security vulnerabilities very seriously. Once the vulnerability was published on Monday, we immediately checked and verified that our customer facing Web servers were not susceptible to this vulnerability. However, we did note that some of our backend servers were affected and needed to be patched, which we completed yesterday.
We have also taken the precautionary step of issuing new SSL certificates to provide our customers with the peace of mind in the unlikely case that the vulnerability in our backend servers was exploited. And finally, we are encouraging our customers to change their passwords not only for their OneLogin account, but also on other sites.
Heartbleed Beyond OneLogin
Heartbleed affects roughly two out of three websites out there. This means that websites and services that you log into on a daily basis; banks, online storage, SaaS solutions, social media, etc., are potentially vulnerable to it. The vulnerability is extremely potent in that a successful exploitation of it would enable an attacker to capture any data transmitting between you and that site. Think about it; your banking credentials, your social security number, your unique password that you only use on one… ahem two…ok maybe six or so websites. Virtually any information you pass to secured sites without thinking twice about.
You can check if a site is affected by the vulnerability here, but remember, if the site was previously vulnerable to it, your credentials might have already been compromised, so you should change those right away. If the site is still affected by it, you should avoid going to that site until it’s patched.