As previously reported, Modern Retail has patched all Magento web servers that could potentially have the Heartbleed Vulnerability. All other websites and servers were unaffected by this vulnerability with the exception of Email. Below is an email we received from Rackspace today regarding the Heartbleed Vulnerability and their Email Servers.
While it may seem like a low probability that someone could get access to your email account, we're in agreement with Rackspace that it is prudent to change the password on your email account. Please following the procedures on this help page to change your password:
If you have any questions or concerns please submit a Support Request and we'd be glad to help you out. Thank you.
Rackspace Heartbleed Security Update
Dear Administrator,
As you may have heard, a major security vulnerability; dubbed "Heartbleed," was recently discovered in OpenSSL. OpenSSL enables SSL and TLS encryption, which governs HTTPS—the secure communications between your computer and the servers on the Internet. It is used by about 2/3 of the web servers in the world. This vulnerability was the result of a programming error (or bug) in several versions of OpenSSL.
Due to the scope of this vulnerability, out of an abundance of caution, we are recommending an email password change for all users as soon as possible.
Details:
At its worst, Heartbleed allowed potential access to a private key for an SSL certificate as well as the encrypted communication itself. This basically means that any individual with the knowledge and skills required to exploit this vulnerability, had a window to grab your user names, passwords and any private information you may have accessed with practically any of your online services that utilize the affected versions of the OpenSSL toolkit.
Mitigation:
Upon learning of this exploit, Rackspace Email engineers took immediate action. After a full system audit, we concluded that no public-facing web servers were exposed. We did, however, find a single SMTP end-point which was intermittently vulnerable. We immediately removed this server from rotation, applied the proper updates and proceeded to insulate all remaining servers from potential exploit. We are confident that these actions eliminate any further vulnerability associated with your Rackspace Email & Apps Services and Heartbleed.
Next Steps:
At this time we have no reason to believe any sensitive user information was accessed, however, out of an abundance of caution we recommend that all end users change their email passwords at their earliest convenience.Users can easily update their password using our Webmail application at apps.rackspace.com (or their respective private label website).
And remember, it is unsafe to use the same username & passwords across multiple online services. Again, out of an abundance of caution due to the sheer scope of this issue, we are recommending a password change for all users as soon as possible.
Best,
Email & Apps