Monday, April 21, 2014

Xmarks and the Heartbleed Bug

As many of you are aware, recently a major security flaw known as the Heartbleed bug was discovered in OpenSSL, a low-level cryptographic library used by Internet web servers for securing web traffic. The flaw affected a majority of websites, including Xmarks.

Our servers were patched shortly after learning of the vulnerability on the morning of 8 April, 2014. Also as of 16:00 EDT on that day, we deployed new SSL certificates.

Although we have no evidence that the flaw was exploited during the time the vulnerability was in place, it is possible that bookmarks, usernames, and hashed login passwords may have been exposed to attackers. Passwords synced with Xmarks password sync are stored and received in encrypted form with a PIN that is never sent to the Xmarks server. Security of these passwords will depend on the PIN used.

As a precaution, we are recommending that if you have not already changed your password, please do so now. Once logged in at you can click "My Account" and select the "Change Password" option (

If you use Xmarks password sync and a weak encryption PIN, please also consider changing the passwords stored in your browser vault.

We also recommend using a password manager like LastPass to store your logins and update your passwords to stronger, generated ones, including your Xmarks login. In the LastPass Security Check, you can also find out which of your stored accounts were impacted by Heartbleed and what actions you should take at this time.

Our team continues to monitor the situation and will update the Xmarks and LastPass community as needed.