Yesterday, a new vulnerability was discovered affecting SSL, a protocol most of the Internet uses to encrypt and secure communications. The Sprout Social engineering team was quick to respond, ensuring that our tools are fully secure for our customers. We are happy to report that it’s safe to continue using Sprout Social.
For the curious, we would like to quickly explain why this particular vulnerability could be a risk across the Internet. The bug — dubbed “Heartbleed” — allows anybody to read the memory on a system that is supposed to be protected by SSL.
An anonymous attacker could potentially steal any information from an SSL-secured communication when the issue is not addressed. Best practices dictate that websites and web service providers should always use SSL-encrypted communication when dealing with sensitive information like usernames, passwords, and bank info. Heartbleed could breach that information to anybody who knows how to extract it without leaving a trace.
Once more, Sprout’s got your back. We’ve ensured our web and mobile applications are not vulnerable, and are safe for you to use. Our security team will continue closely monitoring new vulnerability developments to ensure any issues that may affect Sprout users are quickly addressed.
If you would like more information about Heartbleed, please read the helpful Q&A that’s making the rounds.
Bill Gambardella: Bill Gambardella is the Information Security Program Manager at Sprout Social. He is a paranoid member of the engineering team who spends most of his time thinking of the best ways to protect Sprout Social's users.
It looks like I sent my answer as a direct reply. Posting again for everyone else:
@dogsbody Our external servers have never used a version of OpenSSL that is vulnerable to Heartbleed. Some internal services needed to be addressed but they were handled before this article was posted.
I hope that helps. If you'd like to check if other sites are vulnerable to Heartbleed, this tool is a good place to start.