Yesterday afternoon (Pacific time) we became aware (in much the same way as the rest of the internet) of a serious zero-day vulnerability that affects the commonly used OpenSSL library. Along with two thirds of the internet, this vulnerability in one of the key security building blocks of the internet affected the servers that run Accelo.
For more information on this bug, check out the coverage at C|Net, or watch the video at the bottom of this post.
After becoming aware of the vulnerability, our systems admin team swung into gear urgently and patched all of our server infrastructure; the patches were in place within 90 minutes of the vulnerability coming to the attention of our engineers, which is a credit to their responsiveness and skill (and a demonstration of the benefits of cloud-delivered business software - goodness knows how many on-premise servers are still vulnerable).
One remaining piece of infrastructure - the Amazon Web Services Enterprise Load Balancers (or ELBs) - that we use wasn't something our engineering team could directly patch - we needed to wait for Amazon to complete the patch of these pieces of infrastructure, which they completed today.
In the next 24 hours we'll be replacing all of our security certificates and keys as a precaution - while it is unlikely that the short window of time between the vulnerability being disclosed and the time Amazon implemented their last patches resulted in any malicious user getting access to our private certificate or keys, we aren't prepared to take any chances.
For a malicious user to have any chance of accessing your data they would still need to be in the network between you and the Accelo servers; we regard the chance that this has occurred as very remote, but as a precaution you may wish to change your username and password details tomorrow once we've made 1000% sure by revoking and replacing our certificates.
Update: we have now replaced all of our security certificates with brand new ones; as our Certificate Authority (GeoTrust) gets through their backlog our previous certificates will be explicitly revoked.
In short, we solved the specific risk within 90 minutes, Amazon patched the Load Balancers within 24 hours and an extra precaution of replacing all of our certificates has been completed within 48 hours.