Earlier this week security experts detected a significant security breach in some versions of the popular OpenSSL encryption software that is being used on about two thirds of all secure web sites. The bug is now commonly referred to as Heartbleed. It allows stealing the information normally protected by the SSL/TLS encryption used to secure the internet. Most significantly the breach compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
Pidoco’s counter measures
Pidoco has immediately reacted to the discovery of the security issue and fixed the problem. We updated our servers to a new and secure OpenSSL version on Tuesday, April 8, 2014 at 11:58 AM UTC and have replaced our existing SSL certificates with new and secure ones since.
In addition, although our internal audit produced no evidence of the Pidoco systems having been compromised, all active user sessions were terminated to minimize potential exposure.
We have also taken measures to directly inform all users who might have been affected. To find out if you have been affected, please check your email.
Who has been affected?
Since Pidoco had only just begun using the breached OpenSSL version on March 2, 2014, only Pidoco users who logged on to their Pidoco accounts between March 2, 2014 and April 11, 2014 may have been directly affected by the breach. To those users we strongly recommend following the instructions below. Since Pidoco follows best practices in using forward security only this time frame is relevant to the breach.
In case you did not log on to your account in the period stated above but use your Pidoco password for other web services as well, we also recommend to follow the instructions below, as your login data may have been compromised using another online service (e.g. online mail providers, social media platforms, etc.). You can check which websites are (still) using the breached version of OpenSSL here.
All our other users are not directly affected by the breach pertaining to their use of Pidoco services. For peace of mind you may still want to follow the instructions below.
Recommendations for affected users:
1. Log on to your Pidoco account and click on “My Account” in the upper right corner
2. Go to “My Profile”, type in your current password and your new password in the input fields provided, and click on save.
3. A message will appear confirming the change
If you use your Pidoco password for other web services, too, and have logged on to your Pidoco account between March 2, 2014 and April 11, 2014, we advise you to change the password for these services as well.
Our dedication to your data security
We are dedicated to keeping your data secure and safe. Please be ensured that we are taking appropriate measures towards this end. If you have any questions on the topics discussed in this blog post or on data security at Pidoco in general, please don’t hesitate to contact us via email (firstname.lastname@example.org) or phone (+49 30 4881 6385). We will be happy to answer your questions.