There’s been a lot of hubbub across the internet this week after a vulnerability (affectionately referred to as “heartbleed“) was discovered in a common open source library called OpenSSL, used to provide encryption (SSL/HTTPS) for many tools such as web servers and database systems.
As soon as we learned of this vulnerability on Tuesday afternoon, we assessed our risk by identifying all systems possibly running the vulnerable version of the OpenSSL library. Luckily, all of our customer-facing servers were not running a vulnerable version. This includes both the Pardot application at https://pi.pardot.com and the Pardot website at http://www.pardot.com.
We did have some non-customer facing servers running a vulnerable version and those were all patched by 11AM eastern Wednesday morning. Since those servers were not customer-facing, they were behind firewalls so there was no possibility of exploitation.
We have no indications that any systems were compromised or customer data leaked as a result of this vulnerability. However, out of an abundance of caution, we are going to update our SSL keys and certificates just in case. In the meantime, even without the new keys and certificates, the platform is secure.
Lastly, this is a good opportunity to encourage ALL Pardot customers to revisit the way they use passwords across all of the web applications they access on a daily basis. Consider starting to use a password manager such as LastPass or 1Password and start generating site-specific passwords, so your passwords are not re-used across websites.
If you would like to check if a site you use is still vulnerable, we suggest using this tool.
Questions? Feel free to contact me on Twitter at @znbailey.