Notice: SSL Heartbleed Bug
On Monday, April 7th, a serious vulnerability in the OpenSSL cryptographic software library, known as Heartbleed, was publicly disclosed. OpenSSL is a very popular library used for providing secure and private communication for services such as websites, email, virtual private networks and more. This includes most communication with Unfuddle and similar services.
The bug essentially allows an attacker the ability to access parts of a vulnerable system's memory compromising the keys used to identify the service providers and encrypt communications. An attacker who obtained the private keys would potentially be able to eavesdrop on these communications and steal data or impersonate other users.
How We Are Handling This
There is no indication that Unfuddle servers have been attacked via this vulnerability. However, in response, we moved quickly to address any risk to our service:
- We have upgraded OpenSSL on our servers to a new version which is not affected by the Heartbleed bug.
- We have removed our old SSL keys and created new SSL keys on our systems.
What You Can Do
Again, there has been no indication that such an attack was carried out against Unfuddle. If you wish to be cautious, we recommend taking the following steps in your existing Unfuddle accounts:
- Change your password.
- Reset your account access keys. These are the keys used to access certain parts of your account via RSS. This can be done by an admin from within your account settings.
The security of your Unfuddle accounts is a top priority for us. We will continue to monitor our systems and be sure to immediately address any other issues which may come to light.
"created new SSL keys on our systems." Do you want to say "generate CSR records on our system and requested new SSL certificate?"
That is why you should add optional 2 factor authentication support into Unfuddle + separate passwords for SVN/GIT access