OpenSSL is an open source software suite that is used all over the world to encrypt communications over the internet. Heartbleed is the name given to a bug in that software that could allow unencrypted access to that information while it’s in server memory.
Certain parts of Campaign Monitor were using the most recent version of OpenSSL which contained the bug. As soon as that was disclosed on Tuesday, April 8th, we patched the relevant machines to use the newly released fix, closing that hole.
We’ve also followed security best practices in renewing keys and changing passwords that were protected by OpenSSL software. The nature of the bug means that it isn’t possible to be certain whether or not it was used against any particular service or machine, so changing your Campaign Monitor password would be a good preventative measure.
You can change your own password under the “Account settings” link by hovering over your name in the Admin list, and clicking “Change your email or password”. You’ll find password changing instructions to give to your clients in our help section too.