Last night we became aware of a 0-day exploit in OpenSSL 1.0.1f, known as the 'Heartbleed Bug'. This bug can breach vulnerable systems and read out random pieces of memory. Research indicated that mainly user-sessions can be traced.
As soon as we heard about this bug, our technical staff immediately updated to 1.0.1g. This has solved the problem entirely.
Because this bug left no traces, we logged out all of our clients as a precautionary measure. You can log in safely now.
For more information about the Heartbleed Bug, please see heartbleed.com.
Update 12:03 p.m.:
We are also renewing our SSL certificates as an additional precautionary measure. However, we have no reason to believe that the certificates are not safe at the moment.
The researchers that made the patch for OpenSSL have thoroughly investigated the bug. They concluded that only socket buffers were returned. Due to these outcomes, combined with our own analysis on our data traffic pattern, we are convinced that our SSL certificates are not compromised.
This bug did not result in unauthorized access to private data or passwords. However, there is an extremely small possibility that passwords of customers who logged in between 19:30 (CEST) yesterday and 10:30 (CEST) today were stored in memory for a very short period and thereby are compromised. For security reasons, those customers will be contacted separately.
The Cloudflare challenge showed that private keys were traceable. This substantiates our belief that we did the right things by replacing our SSL certificates and by quickly and accurately informing our customers.