On April 7, the OpenSSL project issued a Security Advisory that detailed a serious vulnerability in the encryption software in use by a large percentage of the internet. This vulnerability (nicknamed “Heartbleed”) would potentially allow attackers to retrieve information from encrypted SSL endpoints.
We have prioritized hardening those services which handle account credentials and have secured those as of 10pm PDT April 8th. Though we do not believe any Optimizely accounts were compromised, we are taking action to proactively secure our customers’ accounts.
Because of the sensitive nature of Optimizely’s interaction with its customers websites we strongly recommend that customers change their password immediately. Out of an abundance of caution, we will soon be issuing new passwords to all our customers.
We will continue to harden our remaining services and will issue another notice when this is complete.
UPDATE (April 10 11AM PST): At 10:30PM PST on Wednesday April 9, Optimizely began forcibly resetting passwords for all customers. Customers will have received an email notifying them of the password reset.