In recent days we have had a lot of questions from clients who were concerned their information may have been compromised in Office 365 by the HeartBleed vulnerability. This flaw allows intruders to read server memory which would contain usernames, passwords, credit cards, or any other confidential information that may be on the server running OpenSSL. We wanted to take a minute to reassure you that Office 365 and out of the box Microsoft configurations are not affected.
The Heartbleed vulnerability is specific to OpenSSL which is not being used for any Microsoft Office 365 services. In fact, all Microsoft servers (Windows Server 2003 through Windows Server 2012 R2) do not utilize OpenSSL out of the box and use their own encryption component called Secure Channel (or SChannel which you may have seen errors in your event log for). Unless you have installed Apache or some other third-party application that uses OpenSSL on your Windows Server, you should be fine. Microsoft will continue actively monitor the security of Office 365 with threat modeling and attack surface analysis. We continue to believe security is a benefit of the Microsoft cloud services that goes above and beyond what a typical business can do and it is not a weakness.
For additional information please reference this article from Microsoft
