Heartbleed Bug

OpenSSL is widely used to secure web servers on the Internet and other similar devices. A vulnerability in OpenSSL was found last month that allows attackers to easily capture privileged data from servers running specific versions of OpenSSL. Unfortunately this code has been in widespread use since 2012. Attackers are able to access the secured memory on the server which could contain sensitive information including usernames and passwords and the private master key used for encryption. If the key is obtained it would allow all encrypted information on the server to be unencrypted and read by the attacker.

What does this mean for me?

Unfortunately it is unknown exactly how far reaching this vulnerability was or will be. The only secure option is to not give any privileged information to sites until all the web servers have been impacted. This could mean avoiding online banking, or even avoid signing into facebook if you use the same password there as you do for other sites. It is also possible that hackers have been exploiting this vulnerability for some time without being detected too. Many banks have said that they were not impacted by the vulnerability. Please confirm with your bank prior to logging in.

How the heartbleed bug works.

What do I need to do now?

You should update your passwords everywhere as a precaution. A list of sites where I encourage you to change your password immediately is listed below, but just because a site isn’t listed doesn’t mean you shouldn’t update your password. Remember that you should not use the same password for multiple sites, nor easily guessable variations. Always use a secure password that consists of non-dictionary based words and a combination of upper case, lower case, numbers and symbols if allowed. You should also change your password frequently to ensure no one else has access to your accounts. Finally, if the service offers it you should rely on two-factor (or two-step) authentication. Typically the service will send a text message to you with a code you must use along with your password when signing in from an unknown computer.

Here’s a list of sites that may have been compromised that you should change your password on immediately. Note that it is not known if some of these sites were compromised, but in the interest of safety, please change your password. You’ve probably been using the password for too long there or have shared that password with another site anyway! đŸ™‚

  • Amazon
  • Box
  • Dropbox
  • Etsy
  • facebook
  • Flickr
  • GoDaddy
  • Google, Gmail
  • Instagram
  • Netflix
  • Pinterest
  • Tumblr
  • Yahoo, Yahoo Mail
  • YouTube

Finally, it would be suggested to go ahead and change your passwords again in a few weeks – especially for sites that haven’t confirmed they have patched their servers against the vulnerability. Mashable has a list of websites affected by Heartbleed which can be consulted for a more detailed list.

Stop the Bleeding!

How do you create secure passwords? The best way is with a random password generator. Of course, you’ll need to store all the passwords you’ve created or else you probably won’t remember them. I use and recommend 1Password who is currently offering a 50% off sale. Please see the 1Password blog post for more information as well.