On April 7, 2014, security researchers announced a new vulnerability, CVE-2014-016 (now commonly referred to as "Heartbleed"), in OpenSSL version 1.0.1.
OpenSSL is a security framework used in many web services and applications, including Breezy. For more details on CVE-2014-016, see US CERT and NIST NVD.
In plain terms, what this means is that the security layer that protects most of the internet, including sites for banks, brokerage accounts, email providers and others, has been breached.
As computer security expert Bruce Schneier wrote, "On a scale of 1 to 10, this is an 11."
Impact on Document Confidentiality
There has been no exposure of any document printed via any of the Breezy apps.
Breezy was architected to guard against exactly this kind of scenario -- in fact, situations like this one are the reason we use on-device encryption on every document printed from the Breezy app. Because we encrypt all documents before transmitting them, user document confidentiality was protected even though our servers had been running a version of OpenSSL that was affected by this bug.
Breezy proactively monitors a number of security mailing lists and became aware of this vulnerability as soon as it was announced.
We immediately undertook a review of our infrastructure to determine our exposure, and determined that a patched version of OpenSSL would be required for the servers hosting api.breezy.com and certain custom API URLs used by various customers.
By end of day yesterday, April 8 2014, all Breezy servers were patched. And although we have no evidence of any attempted attack, we have also taken the proactive step of updating our private keys and re-issuing the SSL certificate securing the breezy.com domain and all associated subdomains.
Because the vulnerability existed for two years before it was disclosed, it is possible that user data other than document contents, including user passwords, could have been compromised. We therefore recommend that you change your Breezy password as soon as possible.
If you have any questions regarding the Heartbleed vulnerability or Breezy's security model in general, feel free to contact us.
We appreciate the trust our users place in us, and we are pleased that on-device encryption has protected our customers' valuable data.