Security rebuild completed last night

[Abe Dane]

Last night we completed a process begun early last week to address risks associated with the Heartbleed OpenSSL bug.  The work we did last Tuesday, immediately after the threat became known, included updating the relevant software libraries, as well as our encryption keys and credentials, and site certificates.  From that point on, the bug was effectively patched in that it was no longer possible to use the bug to gain unauthorized access to the data on our servers.

The more recent steps were taken because the nature of the bug is such that we can't be 100% sure that our servers weren't compromised at some point in the past.  As the recent New York Times article linked to below points out, there is no evidence that this has happened to any of the many sites affected, but we felt it was best to be sure.

http://bits.blogs.nytimes.com/2014/04/16/study-finds-no-evidence-of-heartbleed-attacks-before-the-bug-was-exposed/

Therefore, we took the additional step of rebuilding our servers from scratch, from verified install sources, and without direct sharing any keys between the new and old servers.  We also took the opportunity to add some additional security measures, given the opportunity provided by the server rebuild.  With this process complete, any remaining threat from malicious code or backdoors put in place during the period of vulnerability has been addressed.

We apologize for the downtime last night, but hope it's understood to reflect how seriously we take the protection of our users' data.