|Posted: 2014-04-10 13:45|
The Heartbleed bug has been widely covered in the media recently. It is a serious software bug with the potential to expose users visiting affected sites to spying. We have taken the situation very seriously and, as soon as we became aware of the issue, took immediate steps to ensure that we are not vulnerable to an attacker collecting data via Workbooks.
Until 15 March we were running software that included a revision of OpenSSL 0.9.8 which was not vulnerable to the Heartbleed attack. Therefore, any attacker using Heartbleed could only have done so in the past few weeks (and likely only since Monday 7 April when the vulnerability was announced.) We deployed a patch to address the issue on the morning of Wednesday 9 April, thus it is our considered opinion that there was a very small window of only 48 hours between the announcement and the fix when attacks could have occurred. Further, it is likely that any attackers would have targeted more high-profile sites than ours during that window. If data has been collected, it could have been to:
In summary, please be assured that we have acted quickly to mitigate the likelihood of Heartbleed affecting our customers. We take data security extremely seriously and will always act promptly when aware of potential threats.