By now, you surely have heard about it, and maybe you had to deal with that issue on your own production servers.
Gemnasium relies on OpenSSL to secure the HTTPS communications, so we had to deal with that issue too.
It is proven that one can exploit the Heartbleed Bug to sniff over HTTPS communications between Gemnasium and the browsers. So in theory it would have been possible for an attacker to steal a session cookie and to spoof the identity of any user.
We get the security updates from the distro repositories on a daily basis. So the OpenSSL library was patched on our servers shortly after the patch was published.
Then we had to revoke the SSL certificate we use for HTTPS communications, and we now have new ones, generated from news private keys.
Also, we had to deal with the Github tokens that we store to access your repos. Github relies on OpenSSL, so the tokens may have been stolen.
Hopefully, the Github API makes it possible to reset tokens and to get new ones. So we ran a batch to reset all the tokens we store.
Gemnasium relies on Stripe.com to charge your credit card; we do not process the credit card numbers in any way.
Stripe responded quickly to the Heartbleed Bug threat:
To remain on the safe side, we have renewed the Stripe API keys of Gemnasium.
Please contact our support in at firstname.lastname@example.org if you have any question regarding this issue.
The Gemnasium Team