The Heartbleed Bug and You: Change Your Passwords!

We always keep your privacy and security in mind.

By now you’d be hard pressed to have missed coverage of The Heartbleed bug in OpenSSL.  At this point, Sonic.net is joining many other providers and recommending that you change your passwords for your online services.  This is important for high value accounts like banking and finance or other accounts that protect your personal information and data.  Do not forget to change your ISP and email account passwords!  These are especially important since access to your email account can be used to gain access into most of your online services.

We do not have any reason to believe that we, or any of our users, were targeted.  However, this attack was undetectable and the cautious response is to assume that sensitive information has been leaked.  In the interest of full disclosure we are providing a complete list of affected services and systems.  It should be noted that all of the vulnerable services support PFS wherever possible and should our private keys have been leaked, they cannot be used to decrypt any past traffic in most cases.

Customers may change their passwords in the membertools using the password tool.

If you have any questions, please post them in our forums.

As of 21:45 on April 7th,  all vulnerable systems had received an update to fix this bug.

The following sites and services were vulnerable:

  • imap.sonic.net (login credentials were not vulnerable, only keys)
  • pop.sonic.net (login credentials were not vulnerable, only keys)
  • mail.sonic.net (login credentials and mailflow in/out)
  • legacy-webmail.sonic.net
  • webmail.sonic.net
  • forums.sonic.net
  • wiki.sonic.net
  • corp.sonic.net
  • newsignup.sonic.net
  • public-api.sonic.net (used by mobile apps)
  • fusionbroadband.com (used by our wholesale partners and customers)
  • srapi.sonic.net (used by our wholesale partners)

All of these systems have had their certificates replaced except for the following which are still pending reissue by our CAs:

UPDATE: All systems have had their keys replaced.

  • legacy-webmail.sonic.net
  • wiki.sonic.net
  • forums.sonic.net

The following sites and services were not vulnerable due to running an early version of OpenSSL:

  • mx.sonic.net (inbound mail)
  • members.sonic.net
  • signup.sonic.net
  • listman.sonic.net

3 comments for “The Heartbleed Bug and You: Change Your Passwords!

  1. This isn’t strictly an “attack”, but instead a vulnerability of OpenSSL. It’s not like malicious actors have infected computers with this, but instead, services using OpenSSL were not as secure as believed.

Leave a Reply

Your email address will not be published. Required fields are marked *