On April 7, 2014 information was released about a new vulnerability (CVE-2014-0160) in OpenSSL, the cryptography library that powers the vast majority of private communication across the Internet. This library is key for maintaining privacy between servers and clients, and confirming that Internet servers are who they say they are.
This vulnerability, known as Heartbleed, would allow an attacker to steal the keys that protect communication, user passwords, even the system memory of a vulnerable server. http://heartbleed.com has more detailed information about the exploit. Should a server be vulnerable, the consequences of an attack can be very serious.
Upon becoming aware of the Heartbleed bug, we immediately conducted an investigation of all Tradeshift servers. We can conclude that Tradeshift servers have not been exposed to this vulnerability. For all of our services that use secure communication where the security is established through the use of OpenSSL, we have not been using any of the affected versions of the OpenSSL library.
We recommend that our users – and any users of internet services – check up on the status from their service providers to assert any potential leakage of data. The Heartbleed bug is very widespread and could have affected any service on the internet – email providers, online banking, etc.
At Tradeshift we are acutely aware that we host and protect data for which the privacy is critical to our users. If you happen to use the same password for your Tradeshift account as you do for your other online accounts we recommend you change your password as a precautionary measure. And while we mentioning it, now’s a good time to remind you that changing your password on a regular basis is a diligent measure to keep your data safe.
If you have any questions or concerns specific to your Tradeshift account please feel free to reach us at support@tradeshift.com
Apr 10, 07:15 UTC