About the OpenSSL Heartbleed vulnerability
Recently, Shipwire released an update in response to a serious security vulnerability called “Heartbleed,” which impacts the encryption used for Internet communications and could allow access to decrypted HTTPS traffic.
Once we became aware of Heartbleed, we addressed the issue and evaluated possible impacts. We want to share some specifics of the Heartbleed vulnerability as it relates to Shipwire’s services, as we know that our customers, like us, are concerned about privacy and security.
We have no evidence that the Heartbleed vulnerability was used to obtain any Shipwire data or to access Shipwire services.
Our application load balancers, which are the primary means by which most customers communicate with Shipwire, were confirmed not to be using a vulnerable OpenSSL version.
Some of Shipwire’s internal servers were determined to be using affected versions of the OpenSSL library, and patches have since been applied to all impacted servers, and those servers restarted and sessions erased.
What you should do
While there is no indication that Shipwire users have been impacted, we nonetheless recommend that users consider updating their account passwords, especially on API roles. Regardless of circumstances, we recommend regular password changes.
Additionally, many of our users have sites or applications hosted which store their Shipwire credentials and other sensitive data, so we remind you to audit all services you may use (for example, self-hosted shopping carts) to determine if they might also be vulnerable, and to take steps to ensure any vulnerable services have been mitigated, replacing SSL certificates once any vulnerabilities have been addressed.
When in doubt, your hosting provider is a good resource to understand if you may be or may have been affected.