Helpshift and the “Heartbleed” OpenSSL vulnerability
Yesterday, a major security vulnerability in OpenSSL, a widely used cryptography software library, was disclosed. The vulnerability allows a potential attacker to read confidential data from a server without any privileged information. The bug, called “Heartbleed” has affected the majority of Internet companies including Yahoo!, Amazon, Heroku, etc.
At Helpshift, we take the security of your data and information security very seriously. Immediately after the disclosure of the OpenSSL bug, I personally audited our servers and discovered that we were also vulnerable to the bug.
We started fixing the vulnerability right away, and we managed to secure our servers within a few hours. Amazon Web Services had the same vulnerability that affected us, so we had to work with them to fix those as well. Today, we confirmed that Amazon has fixed the problem at their end and Helpshift is completely secure again.
Even though it’s highly unlikely that our systems were actually compromised, we’d still recommend that you change your Helpshift password to be safe.
We also took the opportunity to audit our general SSL/TLS usage and beefed up the security to exceed industry standards and achieve the highest possible rating on the SSL Report generated by Qualys SSL Labs.
A detailed report of how we improved our SSL/TLS security will be published on our engineering blog shortly.
~ Baishampayan “BG” Ghose / Co-founder & CTO