This is extremely important and needs to be shared with everyone you know. A new “bug” named Heartbleed Bug has made close to 70% of websites insecure. That’s over 600 million sites, and most likely one or two of them are sites you visit. It’s important that you know what this bug does and what to do if you fall victim to it.
What does the Heartbleed Bug do and what is it?
The Heartbleed Bug undoes web encryption to reveal data on sites using an unpatched version of OpenSSL (a data encryption technology that is used by 2/3 of the Internet). Passwords and other sensitive information (emails, documents, and more) stored on affected sites are vulnerable at this time because of the Heartbleed Bug. In other words, someone can steal your online information easily on affected sites, so it is extremely important that you change your passwords ASAP!
Priority for UpdatIng Passwords
If you want a structured way to go about the password change, we recommend changing important passwords (banking accounts, sites that you know are storing sensitive information, sites you visit often, etc.) first. You may also want to confirm that sites have fixed the vulnerability or you may end up changing the password a second time. Please use our comment form below if you are aware of major services that have had their security updated for the heart bleed bug and we will update this article accordingly.
Proceed with Caution
Attackers have been successful in leaving no trace because of the Heartbleed Bug, which has existed for two years (since March 14, 2012)! As a result, website owners may not know what data of theirs has been compromised, or if they have fallen victim to the Heartbleed Bug. The only thing they can do is patch the bug and contact their customers to reset their systems.
The Heartbleed Bug fools you into accessing false sites. Beware of sites that ask you to check for vulnerability. This may be a way of inviting the Heartbleed Bug into your system to steal your data.
What Can I do to Protect Myself from HeartBleed?
Consider Identity Theft Protection
Identity theft protection services can monitor and notify you if someone uses your e-mail to attempt to log into an unrecognized service or if one of your online accounts is compromised. Signing up for identity theft protection is a lot easier and more affordable than you might think. In this age of Internet viruses, online banking scams, server hacks, and phishing attempts to steal your personal information, it’s more important than ever. We cover the top I.D. protection solutions in our identity theft reviews article. I’m also including a little table of our top three winners here so you can check out our top three candidates.
What Should I Change My Passwords to? How do I Know My New Passwords Are Secure?
Even with Heartbleed patched, your data is only as secure as your password and the encryption mechanisms used. We encourage you to:
- Only login to websites that ask for or store sensitive data if your browser verifies they are secure (in the browser address bar, you’ll see a lock symbol or color, and an alert icon if there’s an issue).
- Use 2-factor authentication (you verify your identity with an additional code provided to your phone or email) if your service offers it (many, including Google, do). This prevents unauthorized users from accessing your accounts with only your password.
- If a site has been compromised for which you used a password elsewhere, consider that password compromised. You should change it everywhere. As a rule of thumb, it’s a good idea to use a different password for each site. Consider a password solution such as LastPass to keep track of all your pw’s for you. See our video below for more password tips.
We’ve created a video that details how you can create a secure, not readily hackable password. This should help protect your data independent of the Heartbleed issue.
What sites have fallen victim to the Heartbleed Bug?
So far here is a list of definite sites who have been attacked by the Heartbleed Bug. We will do our best to update this as more information comes along, including the availability of patches (ie. the sites are no longer vulnerable to Heartbleed after being patched). In the mean time, it is important that you change your password to the following sites and all sites (once patches have been confirmed) to be safe. We are including only major services at this time, but will be adding to this list as time allows. Tip: Use Ctrl+F (Find) to see if the site or service you’re interested in is listed on this page.
Note: it’s a general good rule of thumb to change your passwords on a regular basis (monthly, quarterly, etc.), whether or not there’s a security issue at stake.
Sites Affected by HeartBleed, Patch Confirmed
These sites are vulnerable to the Heartbleed bug, but a patch has been confirmed. Change your password immediately.
- 500px, Addthis, AirBnB, Archive.org, AWS (Amazon Web Services), Box, Dashlane, Disqus, Dropbox, DuckDuckGo, Entrepreneur, Etsy, EventBrite, Flickr, Fool.com, Github, Gmail, GoDaddy, Google, IFTTT, Instagram, Lastpass, Minecraft, Netflix, OKCupid, Pinterest, SoundCloud, SpiderOak, StackExchange, StackOverflow, Squidoo, Tumblr, WeTransfer, Wunderlist, Yahoo, Yahoo Mail, Youtube
- Lastpass note: your master password is not sent to the LastPass server; however – you should change passwords of affected sites stored in Lastpass. To find out which of your sites are affected, login to Lastpass and click on “Security Check” under “Actions” (left-hand column). Alternatively, in the Lastpass bookmark, select Tools > Security check.
Sites Affected by Heartbleed, No Patch Confirmed
No patch has been confirmed, despite that these sites have shown to be vulnerable to Heartbleed. Keep monitoring this list, and change your password again once a patch has been confirmed.
- ElegantThemes, Slate, USMagazine.com, WordPress
Sites that May Be Affected by Heartbleed, Patch Confirmed
These sites may have been affected by Heartbleed, and have been patched. You should change your password out of an abundance of caution.
- Adobe, Facebook
Sites Not Affected by Heartbleed
These sites do not use the OpenSSL encryption technology and therefore have not been exposed to the Heartbleed bug. No patch has been issued.
Banking, brokerage, government, and tax websites, with the exception of USAA, which was patched (no password change necessary however). Also note that the banks claim they have not been affected, but given the important and sensitive nature of financial data, we advise you to change your password out of an abundance of caution. Additionally, U.S. regulators have asked them to issue patches.
- 1Password, ABCNews, American Express, Android, Bank of America, AOL (America Online), Apple, Amazon, BBC, Blogger, Bloomberg, Capital One, Chase, Constant Contact, Craigslist, Disney, Ebay, ESPN, Evernote, FourSquare, Gawker, Groupon, HootSuite, Hotmail, Hulu, LinkedIn, MailChimp, Match.com, Microsoft, NBC News, Nordstrom, Outlook, Pandora, Paypal, Target, TED, Ticketmaster, Trip Advisor, Tumblr, Twitter, Walmart , WSJ
- Note: Twitter was nevertheless patched, out of an abundance of caution.
Not Enough Information
We were unable to conclusively find Heartbleed information on these sites. If you know if these sites are affected and patched, please let us know in the comments below!
- Carbonite, eHarmony, Living Social
Webmasters: How To Check Your SSL Sites Are Heartbug Free
If you are a web developer, webmaster, or web host, and have your own or client sites running OpenSSL (the website begins with https://) you can test your site and determine if it is impacted at http://filippo.io/Heartbleed/.
What to do if your site has fallen victim to the heartbleed bug
As the nature of this exploit includes the possibility that the server’s private key can be compromised, we highly recommend re-keying and re-issuing SSL certificates. Please contact your SSL certificate provider if you have questions about generating a new private key.
- Patch the bug immediately
- Verify the patch is working correctly
- Order new security certificates for all domains (including domains used by customers)
- Reset your site so all users are logged out
- When users log back in their data should be safe from the Heartbleed Bug
More technical details and information on the Heartbleed vulnerability can be found at HeartBleed.com.
The latest news breaks concerning the Heartbleed bug, covered here.
Is the NSA Involved?
Michael Riley from Bloomberg published an article claiming that the NSA has been exploiting the Heartbleed bug for years. They say they’ve known about the bug almost since its inception and have been exploiting it regularly to gather intelligence. The National Security Agency’s response? They initially declined to comment on Bloomberg’s claims, but then proceeded to state that they were in fact unaware of the bug until the information was released to the public. Whom to believe? As you’ve probably heard from the whole Snowden vs the NSA issue (links to our coverage of Snowden’s talk at South by Southwest earlier this year), the NSA isn’t exactly earning the consumer’s trust these days. What are your thoughts and feeling on this issue? Whom do you believe?
HeartBleed Slows Down The Internet
Such a vast number of key sites are patching themselves for the Heartbleed vulnerability, that the sheer bandwidth used to update key credentials is causing delays across the Internet. This bottleneck should hopefully clear as the majority of sites’ updates complete.
Heartbleed Used to Steal Patients’ Personal Data
About 4.5 million patients had their personal information stolen from Community Health Systems. The hospital group was broken into through the company’s computer system by the use of the Heartbleed Internet bug. This is the first known large-scale cyber attack.
INFOGRAPHIC: How to Make A Secure Password
Know of Any Sites Impacted by Heartbug?
Do you have any experience with the Heartbleed Bug are you aware of any websites or services that are affected that we failed to cover?