What’s The Issue?Earlier this week there was a public disclosure of an OpenSSL bug referred to as Heartbleed. It’s a very serious problem, and affects a large number of sites on the internet.
What We Have DoneOur security team checked our servers immediately, and verified that all of our client-facing servers were not affected by this vulnerability since they are running an older version of OpenSSL that did not have the flaw.
But because this flaw was so widespread and existed for two years in the wild, we were concerned about the possibility that our secret keys could have been compromised some other way, such as when we uploaded them to our certificate provider. So to be extra safe we reissued our SSL certificates with a new secret key.
We use Zendesk for our support forums, and their servers did need to be patched, so we also reissued the SSL certs used on our Zendesk sites (support.shotgunsoftware.com and toolkit.shotgunsoftware.com).
What You Should DoBecause our servers were not vulnerable, you don’t need to do anything for your <client>.shotgunstudio.com site. That said, it’s never a bad idea to change your passwords on a regular basis, particularly if you (or any of the users on your site) are using the same password on other sites that may have been compromised.
If you have an account on our Zendesk support sites (support.shotgunsoftware.com or toolkit.shotgunsoftware.com) you should change your password for that account.