Earlier this week, Heartbleed - a security vulnerability in the OpenSSL library - was publicly disclosed. GoCardless uses software that depends on OpenSSL, which means we were among the large number of companies affected.
Our engineering team patched our affected software on Tuesday morning (April 8th), and replaced our SSL certificates. This means that we are no longer vulnerable to Heartbleed.
We have no reason to believe that any GoCardless data has been compromised, but given the nature of the vulnerability we recommend taking the following precautions:
- We recommend that GoCardless users reset their passwords.
- We have invalidated any sessions that were in use prior to the resolution of the issue.
- We are adding the ability for API users to reset their API keys; we'll post an update as soon as this is possible.
If you have any questions, don't hesitate to email us at firstname.lastname@example.org.