The NBME has been working to assess the impact on our customers in the wake of the recent disclosure of CVE-2014-0160, known colloquially as the "Heartbleed" bug. The Heartbleed bug is a serious vulnerability in the popular OpenSSL encryption software library used to secure the Internet. Like nearly every service provider on the Internet, we are responding to this vulnerability by conducting a comprehensive security review. Based on our review to date, here is what we know, what we recommend you should do and where you can find additional information.
What We Know
NBME was using a version of SSL that was vulnerable to Heartbleed at the time of the announcement. The affected systems were patched and cleared of the vulnerability. The websites affected were limited to the following services.
- NBME self-assessment services (NSAS) - https://nsas.nbme.org/home
- International Foundations of Medicine (IFOM) Registration - https://wbt.nbme.org/order
What we recommend you do
At this time we have no evidence that any data have been compromised. However, as a precautionary measure we recommend that users with accounts for the websites listed above should change their passwords.