This article was originally published as part of the Pobox blog. Pobox was acquired by Fastmail in 2015.

Two days ago, a critical security vulnerability was announced in OpenSSL, an extremely widely-used encryption library used by Pobox (and nearly every other website and service on the Internet.) You can read more about the specifics of the vulnerability, but the short version is: attackers could "listen in" on affected sites' and services' traffic, and could have gained access to their encrypted content, including usernames, passwords and the session keys that secure content.

Attacks are undetectable, so there is no way to determine if or when this vulnerability was exploited. It's possible it never was. That being said, this is an extraordinarily bad vulnerability, and the cautious standpoint is to assume all sensitive information could have fallen into the hands of malicious parties.

As of this morning (approximately 11AM EDT, April 9th), all affected services had been fixed, so no additional content could be accessed.  All sessions have been terminated, so potentially-compromised old sessions could not have bene reused to gain access. Fresh SSL certificates, regenerated with new keys, were put in place as of 5PM EDT April 9th.

What was vulnerable?

  • logins and sessions since February 20th, 2014
  • Encrypted traffic passed through our MXes, since March 9th, 2014
Webmail sessions can include calendars and contacts, which could have been accessible in addition to mail you read or sent during the session. A worst-case scenario would be your webmail session got "sidejacked", which would allow an attacker access to your mailbox as long as your session was active. 

Prior to those dates, we were running an older version of OpenSSL that was not vulnerable. 

What was NOT vulnerable?

  • logins or sessions
  • access to Mailstore mailboxes ( from email clients like Mac Mail, Outlook, etc. 

What should you do?

Pobox passwords: If you have used (or the now-deprecated since February 20th, we recommend changing your Pobox password immediately. Non-webmail users, Mailstore or forwarding only, should not need to change their passwords.

Forwarding address passwords: Gmail and Yahoo were both vulnerable to this exploit. Other ISPs may have been also. You should update those passwords as well.

Encrypted email: You should make a determination about what, if any, sensitive information you received via email during the affected time period, and take appropriate action. At a minimum, we would treat usernames and passwords as sensitive, and possibly more depending on your situation. 

Password reset links may not be an issue -- most of them are restricted to either a single use or a relatively narrow timeframe, so if they haven't been used, you may not need to worry.

Session key theft is one of the reasons we moved to much shorter session times. That being said, we recommend always logging out, which specifically terminates a session when you are done using it (on our site or anyone else's.)

If you have other questions, please let us know.

Updated 4/10/14, 10:34 EDT to note new certificates and time of deploy, and include a  recommendation to change your forwarding address password.