On Monday, April 7th, 2014 a security vulnerability was disclosed in a software library called OpenSSL. Ustream, along with most of today’s major Internet services, relies on OpenSSL to encrypt and secure web traffic and private customer data. This vulnerability (identified as CVE-2014-0160; also known as Heartbleed) allows an attacker to remotely access the memory contents of servers running a vulnerable version of OpenSSL and potentially access sensitive data, including security keys, usernames and passwords.
The name “Heartbleed” comes from the particular section of the OpenSSL codebase affected by this bug, the Transport Layer Security “heartbeat” implementation. The piece of code responsible for the “heartbeat” section of the protocol leaks (or bleeds) memory to the network when an attacker sends a carefully crafted network package.
Upon disclosure of the vulnerability our security engineering team immediately started to investigate the impact on our services and deployed fixes to all affected servers within 24 hours. The after-incident investigation followed the deployment of the fix and took place over the past 4 days. We determined that there is no evidence any customer data have leaked or any attempt to exploit the vulnerability against Ustream’s services has been made. We took extra attention to sensitive payment information storage, making sure nothing could have leaked and concluded that the isolated system handling these data were not affected by this vulnerability.
However as a precaution we are replacing our security keys, certificates and passwords to ensure the safety of customer data. We advise our users to follow our practice. To reset your password, visit your Account Preferences, log in with your current credentials, scroll down to the bottom of the page and click “Change password”:
After filling in your current password, enter a new password and confirm it by typing in your new password again. For selecting safe passwords make sure you read these tips on Password Security.
Keeping your data secure is our top priority. If you have questions about this incident, post it in the comments section below.