OpenSSL "Heartbleed" vulnerability
Incident Report for Braintree
Resolved
The SSL certificates and keys on affected systems have been replaced. No changes to merchant integrations are required.
Posted over 5 years ago. Apr 10, 2014 - 04:39 UTC
Update
We have published a blog post detailing our response to this vulnerability and the recommendations for our merchants.

https://www.braintreepayments.com/braintrust/openssl-heartbleed-update
Posted over 5 years ago. Apr 09, 2014 - 19:05 UTC
Identified
Yesterday, a very serious bug in OpenSSL was disclosed and fixed. The bug is known as Heartbleed and allows an attacker to remotely read raw memory from a web server using OpenSSL to serve TLS-encrypted traffic.

Upon learning of the vulnerability, Braintree immediately patched all exposed servers with an updated version of OpenSSL yesterday afternoon. While we have no evidence to believe that any SSL certificate or private key material was accessed, as a precautionary measure we are also in the process of replacing all of our SSL private keys and certificates on affected hosts. We are working as fast as possible, but the process of re-issuing certificates and validating them against our client libraries takes some time to complete to ensure no interruption in service.

No changes to merchant integrations will be required as a result of these updates.
Posted over 5 years ago. Apr 08, 2014 - 18:52 UTC
This incident affected: Control Panel, Sandbox and Production API (Gateway API).