A Secure Life in the Press!
Home > Online Security > Heartbleed Bug Infests 70% of the Internet! (Infographic & Video)

Heartbleed Bug Infests 70% of the Internet! (Infographic & Video)

Heartbleed Bug VirusThis is extremely important and needs to be shared with everyone you know. A new “bug” named Heartbleed Bug has made close to 70% of websites insecure. That’s over 600 million sites, and most likely one or two of them are sites you visit. It’s important that you know what this bug does and what to do if you fall victim to it.

 

What does the Heartbleed Bug do and what is it?

The Heartbleed Bug undoes web encryption to reveal data on sites using an unpatched version of OpenSSL (a data encryption technology that is used by 2/3 of the Internet). Passwords and other sensitive information (emails, documents, and more) stored on affected sites are vulnerable at this time because of the Heartbleed Bug. In other words, someone can steal your online information easily on affected sites, so it is extremely important that you change your passwords ASAP!

Priority for UpdatIng Passwords

If you want a structured way to go about the password change, we recommend changing important passwords (banking accounts, sites that you know are storing sensitive information, sites you visit often, etc.) first. You may also want to confirm that sites have fixed the vulnerability or you may end up changing the password a second time. Please use our comment form below if you are aware of major services that have had their security updated for the heart bleed bug and we will update this article accordingly.

Proceed with Caution

Attackers have been successful in leaving no trace because of the Heartbleed Bug, which has existed for two years (since March 14, 2012)! As a result, website owners may not know what data of theirs has been compromised, or if they have fallen victim to the Heartbleed Bug. The only thing they can do is patch the bug and contact their customers to reset their systems.

The Heartbleed Bug fools you into accessing false sites. Beware of sites that ask you to check for vulnerability. This may be a way of inviting the Heartbleed Bug into your system to steal your data.

What Can I do to Protect Myself from HeartBleed?

Winner
Best Identity Theft Protection

Runner-Up

Best Identity Theft Protection Runner-Up

Third Place Best Identity Theft Protection Third Place

Consider Identity Theft Protection

Identity theft protection services can monitor and notify you if someone uses your e-mail to attempt to log into an unrecognized service or if one of your online accounts is compromised. Signing up for identity theft protection is a lot easier and more affordable than you might think. In this age of Internet viruses, online banking scams, server hacks, and phishing attempts to steal your personal information, it’s more important than ever. We cover the top I.D. protection solutions in our identity theft reviews article. I’m also including a little table of our top three winners here so you can check out our top three candidates.

What SHould I Change My Passwords to? How do I Know My New Passwords Are Secure?

Even with Heartbleed patched, your data is only as secure as your password and the encryption mechanisms used. We encourage you to:

  1. Facebook.com SSL Identity Verified on Chrome BrowserOnly login to websites that ask for or store sensitive data if your browser verifies they are secure (in the browser address bar, you’ll see a lock symbol or color, and an alert icon if there’s an issue).
  2. Use 2-factor authentication (you verify your identity with an additional code provided to your phone or email) if your service offers it (many, including Google, do). This prevents unauthorized users from accessing your accounts with only your password.
  3. If a site has been compromised for which you used a password elsewhere, consider that password compromised. You should change it everywhere. As a rule of thumb, it’s a good idea to use a different password for each site. Consider a password solution such as LastPass to keep track of all your pw’s for you. See our video below for more password tips.

We’ve created a video that details how you can create a secure, not readily hackable password. This should help protect your data independent of the Heartbleed issue.

What sites have fallen victim to the Heartbleed Bug?

So far here is a list of definite sites who have been attacked by the Heartbleed Bug. We will do our best to update this as more information comes along, including the availability of patches (ie. the sites are no longer vulnerable to Heartbleed after being patched). In the mean time, it is important that you change your password to the following sites and all sites (once patches have been confirmed) to be safe. We are including only major services at this time, but will be adding to this list as time allows. Tip: Use Ctrl+F (Find) to see if the site or service you’re interested in is listed on this page.

Note: it’s a general good rule of thumb to change your passwords on a regular basis (monthly, quarterly, etc.), whether or not there’s a security issue at stake.

Sites Affected by HeartBleed, Patch Confirmed

These sites are vulnerable to the Heartbleed bug, but a patch has been confirmed. Change your password immediately.

  • 500px, Addthis, AirBnB, Archive.org, AWS (Amazon Web Services), Box, Dashlane, Disqus, Dropbox, DuckDuckGo, Entrepreneur, Etsy, EventBrite, Flickr, Fool.com, Github, Gmail, GoDaddy, Google, IFTTT, Instagram, Lastpass, Minecraft, Netflix, OKCupid, Pinterest, SoundCloud, SpiderOak, StackExchange, StackOverflow, Squidoo, Tumblr, WeTransfer, Wunderlist, Yahoo, Yahoo Mail, Youtube
  • Lastpass note: your master password is not sent to the LastPass server; however – you should change passwords of affected sites stored in Lastpass. To find out which of your sites are affected, login to Lastpass and click on “Security Check” under “Actions” (left-hand column). Alternatively, in the Lastpass bookmark, select Tools > Security check.

Sites Affected by Heartbleed, No Patch Confirmed

No patch has been confirmed, despite that these sites have shown to be vulnerable to Heartbleed. Keep monitoring this list, and change your password again once a patch has been confirmed.

  • ElegantThemes, Slate, USMagazine.com, WordPress

Sites that May Be Affected by Heartbleed, Patch Confirmed

These sites may have been affected by Heartbleed, and have been patched. You should change your password out of an abundance of caution.

  • Adobe, Facebook

Sites Not Affected by Heartbleed

These sites do not use the OpenSSL encryption technology and therefore have not been exposed to the Heartbleed bug. No patch has been issued.

Banking, brokerage, government, and tax websites, with the exception of USAA, which was patched (no password change necessary however). Also note that the banks claim they have not been affected, but given the important and sensitive nature of financial data, we advise you to change your password out of an abundance of caution. Additionally, U.S. regulators have asked them to issue patches.

  • 1Password, ABCNews, American Express, Android, Bank of America, AOL (America Online), Apple, Amazon, BBC, Blogger, Bloomberg, Capital One, Chase, Constant Contact, Craigslist, Disney, Ebay, ESPN, Evernote, FourSquare, Gawker, Groupon, HootSuite, Hotmail, Hulu, LinkedIn, MailChimp, Match.com, Microsoft, NBC News, Nordstrom, Outlook, Pandora, Paypal, Target, TED, Ticketmaster, Trip Advisor, Tumblr, Twitter, Walmart , WSJ
  • Note: Twitter was nevertheless patched, out of an abundance of caution.

Not Enough Information

We were unable to conclusively find Heartbleed information on these sites. If you know if these sites are affected and patched, please let us know in the comments below!

  • Carbonite, eHarmony, Living Social

Webmasters: How To Check Your SSL Sites Are Heartbug Free

Heartbleed bug: bleeding heartIf you are a web developer, webmaster, or web host, and have your own or client sites running OpenSSL (the website begins with https://) you can test your site and determine if it is impacted at http://filippo.io/Heartbleed/.

What to do if your site has fallen victim to the heartbleed bug

As the nature of this exploit includes the possibility that the server’s private key can be compromised, we highly recommend re-keying and re-issuing SSL certificates. Please contact your SSL certificate provider if you have questions about generating a new private key.

  1. Patch the bug immediately
  2. Verify the patch is working correctly
  3. Order new security certificates for all domains (including domains used by customers)
  4. Reset your site so all users are logged out
  5. When users log back in their data should be safe from the Heartbleed Bug

More technical details and information on the Heartbleed vulnerability can be found at HeartBleed.com.

HeartBleed News

The latest news breaks concerning the Heartbleed bug, covered here.

Is the NSA Involved?

Michael Riley from Bloomberg published an article claiming that the NSA has been exploiting the Heartbleed bug for years. They say they’ve known about the bug almost since its inception and have been exploiting it regularly to gather intelligence. The National Security Agency’s response? They initially declined to comment on Bloomberg’s claims, but then proceeded to state that they were in fact unaware of the bug until the information was released to the public. Whom to believe? As you’ve probably heard from the whole Snowden vs the NSA issue (links to our coverage of Snowden’s talk at South by Southwest earlier this year), the NSA isn’t exactly earning the consumer’s trust these days. What are your thoughts and feeling on this issue? Whom do you believe?

HeartBleed Slows Down The Internet

Such a vast number of key sites are patching themselves for the Heartbleed vulnerability, that the sheer bandwidth used to update key credentials is causing delays across the Internet. This bottleneck should hopefully clear as the majority of sites’ updates complete.

Heartbleed Used to Steal Patients’ Personal Data

About 4.5 million patients had their personal information stolen from Community Health Systems. The hospital group was broken into through the company’s computer system by the use of the Heartbleed Internet bug. This is the first known large-scale cyber attack.

INFOGRAPHIC: How to Make A Secure Password

INFOGRAPHIC: Tips to Ensure Your Passwords are Safe

Know of Any Sites Impacted by Heartbug?

Do you have any experience with the Heartbleed Bug are you aware of any websites or services that are affected that we failed to cover?

Our site's mission is to help consumers make more informed purchase decisions. This website accepts financial compensation from some of the companies mentioned which allows us to provide this free service to our readers. Compensation does not influence the rankings of products. More info on our disclosure page.

Sign up to Receive a Free Home Safety Checklist, and Monthly Security Tips & Reviews!


About Kimberly Kurimski
Kimberly is a graduate from Simpson College with a degree in Multimedia Journalism. She spent 4 1/2 months living in Thailand where she traveled throughout Southeast Asia. She enjoys watching movies, socializing with friends and family, and being active outside. She is an Apple lover and social media nerd.
Previous:
Next:
  • Adobe user

    Adobe had hackers break into their systems on October 3, 2013, and what
    was thought to be the theft of name, e-mail, credit card, and other
    personal data affecting 2.9 million users turned out to be at least 38
    million users. Where does Adobe stand with Heartbleed?

    • http://www.coverstorymedia.com/ Alex Schenker

      Adobe has not commented on whether they were affected, but a patch has been issued, so we suggest you update your password now.

  • http://www.anobii.com/ Barney Hanlon

    This article is so full of bad journalism it makes me shudder. I googled to see if any sites had been dumb enough to describe heart bleed as a virus, and lo and behold, this was in the list.

    Infests? Really? I think you mean the vulnerability is present.

    The Heartbleed bug does not allow users to “be vulnerable to the Heartbleed bug themselves”. Wildly inaccurate; it may allow other forms of attack, but it cannot attack end users itself.

    Poorly researched, hashtag filled journalism.

    • http://www.coverstorymedia.com/ Alex Schenker

      Got a chip on your shoulder Barney? We don’t mention the word “virus” in this article, and we also don’t claim that Heartbleed “attacks users.”

      Your comment is a poorly thought out, finger-pointing filled waste of everyone’s time.

  • Maggie McWilliams

    How can we find out whether a site has patched the bug?

    • http://www.coverstorymedia.com/ Alex Schenker

      Hi Maggie,

      We’re currently adding “patch confirmed” next to each vendor above for which we can confirm a Heartbleed fix has been issued (along with the date it was patched). If you have a question on a specific company or website, please reply and we’ll look right into it.

  • Pahrump Library

    I have just changed my Gmail (Google) password last month (2nd time this year). Will I still need a new password today, 4/10/14?

    • http://www.coverstorymedia.com/ Alex Schenker

      Hi Pahrump Library, I would say yes, better safe than sorry, especially given the severity of this hack.

  • http://www.coverstorymedia.com/ Sadie Cornelius

    Thanks for sharing these tips! It’s scary but feel much better now that I understand it a little better and know that so many of us are bringing attention on how to handle the situation quickly! Change those passwords people!