The engineering team at Crittercism has been working to assess the impact for our customers in the wake of April 7th’s disclosure of CVE-2014-0160, known as Heartbleed. Our team conducted a comprehensive security review in response to this critical vulnerability in OpenSSL’s handling of heartbeat packets.
Security is very important to us at Crittercism, so we wanted to provide an update on our response and some guidance.
The vulnerability impacts roughly 2 of 3 websites protected with SSL (i.e. starts with “https”). The vulnerability lets an attacker eavesdrop on data sent/received from those sites, and ultimately to steal passwords (and other sensitive information contained on the site). Within a few hours after the vulnerability was announced, Crittercism security engineers applied fixes to all of our front-end servers, and reset all active customer portal sessions.
After our investigation there is no evidence that any Crittercism user credentials or account credentials were compromised. However, we recommend our customers take some additional steps to ensure the security of your account by changing your Crittercism password by taking the following steps:
- Log into http://app.crittercism.com
- Go to “Account Basics”
- Enter a new password and select “Update Password”
Additional steps you should be taking
On a personal level, you should also reset all of your passwords to protect yourself:
- Check the site has been patched by using this tool:
- If it has been patched, change your password ASAP
- If it has not been patched yet, check back often until it is (and consider quitting that provider in the future)
Please let us know if you have any questions or additional concerns by opening a support ticket.
VP Engineering, Crittericsm