In light of the recent CVE-2014-0160 vulnerability, aka “Heartbleed”, we wanted to update our users on our security status.
We were not directly affected by the Heartbleed vulnerability. No production imgix servers were running Heartbleed vulnerable code.
Several third-party services that we rely on were affected. However, we have no indication that any sensitive information could have been attained through these services. We apply many security best practices to ensure that highly sensitive information (e.g. passwords, AWS keys) are encrypted internally as early as possible and before transmission to a third party for use or storage.
While we have no reason to believe that we have been compromised, now would be a good time to take some added precautions just in case:
- Generate a new API key. You can change API keys by logging into https://dashboard.imgix.com, navigating to Account, and clicking the Reset button next to API key under “User Details”. Each user has their own API key, so encourage other users of your account to do the same.
- Change your password. Our passwords are stored using an adaptive hashing function that makes it very computationally expensive to brute force should they ever be compromised. However, like changing the batteries in your smoke alarm, it is a good practice to regularly change your password. We recommend using the strongest unique password you can.
- Update your Amazon credentials. If you are using Amazon S3 sources, we recommend rotating the S3 access credentials you have provided to us and double-checking that they are read-only. S3 credentials are strongly encrypted before being stored within our databases, but you should still use separate, read-only credentials for connecting to images via imgix.
If you have any questions, please contact support@imgix.com
