For more than two years, the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a critical defect that allowed attackers to pluck passwords, authentication cookies, and other sensitive data out of the private server memory of websites. Ars was among the millions of sites using the OpenSSL library, and that means we too were bitten by this extraordinarily nasty bug.
By mid-morning Tuesday, Ars engineers already updated OpenSSL and revoked and replaced our site's old TLS certificate. That effectively plugged the hole created by the vulnerability. By installing the OpenSSL update, attackers could no longer siphon sensitive data out of our server memory. And although there's no evidence the private encryption key for Ars' previous TLS certificate was compromised, the replacement ensured no one could impersonate the site in the event hackers obtained the key.
With Ars servers fully updated, it's time to turn our attention to the next phase of recovery. In the hours immediately following the public disclosure of the so-called Heartbleed vulnerability, several readers reported their Ars accounts were hijacked by people who exploited the bug and obtained other readers' account passwords. There's no way of knowing if compromises happened earlier than that. Ars has no evidence such hacks did occur, but two years is a long time. There's simply no way of ruling out the possibility.