The recent OpenSSL vulnerability CVE-2014-0160, nicknamed “Heartbleed,” affected large part of the Internet. It was caused by a relatively trivial bug, a missing check for an input value, which can lead to a buffer overrun, causing leaking of an unrelated block of memory. This can ultimately lead to compromising of the secret keys used to encrypt the traffic, which essentially allows attackers to eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users.
We take security very seriously at Logentries. We upgraded OpenSSL lib literally within minutes after revelation. Data entrypoints required recompilation and were fixed within first few hours. We also run our system against validation assessment tools to ensure all public-facing services are provably immune.
Subsequently, we started mitigating potential consequences of this vulnerability. For example, we terminated open sessions and initiated re-keying our certificates. We reset all our internal passwords and credentials we use with our partners.
We are not aware of any compromised accounts. We would like to encourage all Logentries users to reset their passwords on our site (we will issue a reminder to all accounts) as well as all other web sites.
Let us know if there is anything our team can do to help.