In the last week there has emerged a major security flaw at the heart of the internet known as the Heartbleed security bug, which may have caused secure data to be vulnerable to being accessed by hackers. Many websites have been urging their users to change their passwords, and smaller online retailers who collect users data are left unsure about what steps, if any, to take to assure the safety of their customers information when considering heartbleed and eCommerce implications.
Open SSL is not directly used by platforms such as Magento or WordPress but can potentially be used by servers hosting the data. The Open SSL is designed to encrypt communications between a users computer and the web server, and an error with something called TLS means that the it can be fooled into giving out more data than it should. This means that passwords, emails, and all secure data can be given out, and worse still the SSL security key which means hackers can access all past data. There are two really useful tool available here to check websites for possible vulnerability to the Open SSL (Heartbleed Bug)-
All clients with ReThink eCommerce have been checked and updated. Those with managed hosting providers would hope that their hosting providers would more than likely have released a statement by now, so I would recommend checking the website of the hosting provider. In most cases, they should have updated the patch by now and although there is no way of knowing if the data has been compromised in the past. Whether you should change your passwords, and implement the scenario of emailing all your customers and telling them to change their passwords, depends largely on how quickly the hosting provided updated and patched any affected servers, if they were affected at all. Check for official advice from them for that, and we would always recommend that website administrators change passwords on a regular basis and this may be a good time to do that.
A final consideration is the use of customers data on other services. Many eCommerce managers export their customers data to third party websites for services such as email marketing, so it is worth checking those sites for official advice too. Mailchimp, the leading email marketing platform, revealed they are not vulnerable to the attack and no action is required and you should definitely check the websites for statements of any other websites you have exported customer data into.