A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the internet, as well as by a small number of services that Xero uses. Xero has in no way been affected, and your data is safe. More information is available at the OpenSSL page which includes the Security Advisory.
The researchers who discovered this issue have given it the dramatic name of “Heartbleed”, which you may also see referenced in some news articles.
Steps Xero has taken
Any time there is a potential threat to Xero, we conduct a Security Incident process which includes investigating the potential impact to Xero and our customers.
The immediate step we took was to evaluate which Xero systems use OpenSSL, and whether they used the affected version. The majority of our environment does not use OpenSSL as we run predominantly Microsoft technologies. The sweep of our environment showed no servers or sites running the affected versions.
The second step was to evaluate which external systems we, or direct customers, use that may be vulnerable. The only vulnerable site identified was our Australian Partner ‘Toolkit’, which stores no customer data and does not allow users to log in. Our third-party hoster for that environment is August, and they admirably patched the issue within 30 minutes, for which we thank them. The Xero Toolkit site is no longer vulnerable.
As stated above, we have no reason to believe that any of Xero’s environment is affected by this OpenSSL issue. We count ourselves lucky in this case, as a lot of other SaaS providers haven’t been as fortunate.
What you can do
Even though your Xero account is not affected, it is good practice to regularly change your passwords that you use online, and to use a different password for each site that you use.
To protect you from other sites that you use being compromised, consider changing all your passwords for important services now, while it’s at the front of your mind.
To manage multiple passwords for different websites, so that you don’t have to remember them all, we recommend the use of a password manager such as KeePass.
What we will do next
While we don’t have any immediate actions needed to protect our users, we are looking at whether there are any further steps we can take to add additional protection. I’ll update this post later with any action we take as an outcome of this threat.
If you have any questions, please do not hesitate to contact me (Security Officer, Xero) via our support channel (firstname.lastname@example.org).