As you have probably heard, a security vulnerability in OpenSSL was disclosed on Monday afternoon that has been nicknamed Heartbleed. This vulnerability allowed for an attacker to connect to a server using SSL and gather some data from memory, potentially including passwords or other credentials.
Stackdriver uses Elastic Load Balancers to handle our SSL termination and was thus vulnerable to the problem. Amazon has finished their patching thus removing that avenue for the future. As the vulnerability leaves no traces of an attempt to sniff data, we have generated new SSL certificates and installed them on all of our infrastructure. While we have issued a revocation of the old certificates, you can also verify that the serial number of the new certificate is '37 77 09 D9 43 A2 1D F3 36 BC EE EE 1D EB B1 75'.
We have also invalidated all user sessions so you will need to log in again on your next visit to Stackdriver. To be safe, you may also wish to change your password as well as any API keys associated with Stackdriver.
It's worth noting that the credentials used to access your cloud provider's account were not at risk by this vulnerability. Stackdriver makes use of an IAM role which grants credentials that are only valid for an hour and then expire to make API calls on your behalf. Thus any exposure of those credentials would have been quickly mitigated by the short time to live of the tokens.
If you have any questions, feel free as always to reach out to us at firstname.lastname@example.org