Incident:

The Internet security flaw CVE-2014-0160, commonly referred to as Heartbleed, was discovered on April 7 and is reported to have affected most service providers on the Internet. Heartbleed is a security vulnerability in OpenSSL, a popular open-source protocol used to encrypt data over the Internet by an estimated 66% of all web servers.

Caspio was affected by Heartbleed because its infrastructure is running on elastic load balancers operated by Amazon Web Services (AWS), which uses OpenSSL protocols.

Resolution:

On Tuesday, April 8 at 8:00pm Pacific Time, AWS announced that they successfully implemented the Heartbleed security patch on all their load balancers.

The security of our users’ data is a top priority at Caspio. Our engineering team has been closely monitoring the situation and took immediate actions to resolve the issue. We have verified that all of our servers and systems — either operated by us or by third-party providers — have been patched appropriately. In addition, we have acquired and installed new SSL certificates for all of our servers.

What Should You Do?

There is no evidence that any Caspio account credentials were compromised. However, because this bug leaves no trace, no one knows whether their information has been accessed.

As a precaution, we recommend that Caspio customers take the following steps as a best practice:

  • Change all Caspio Bridge account passwords including the administrator and any sub-users. You can log into your account to change it, or administrators can reset account passwords through an email verification process.
  • If you are using Caspio Web Services, regenerate the pass keys for all enabled API profiles.
  • Ask the users of your deployed applications to change their passwords using your application’s password change feature. If none is available, you can create one using Caspio’s Password Recovery DataPage.

Be sure to subscribe to Caspio’s Service Status feed at https://twitter.com/CaspioStatus to stay updated on service-related notices, maintenance and release schedules.