These Are The Sites Where You Should Change Your Password Right Away
Multiple popular websites were exposed to a major Internet bug called Heartbleed earlier this week. As much as 66% of the web may have been compromised by Heartbleed.
Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday. The bug was reportedly discovered by a member of Google's security team and a software security firm called Codenomicon.mashable.com
The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages. And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.sci-tech-today.com
What is Heartbleed?
Basically when you make a transaction online today, whether it’s a bank or credit card company, part of what ensures security is a protocol called SSL. It’s just a way to encrypt the data so that nobody can read it when it’s being transmitted from you to the bank or another company. What Heartbleed is is a way that an attacker can steal bits of information about that transaction — things you thought were being safeguarded. The attacker can start reading data about a transaction and learn things like your passwords and credit card numbers that you thought were kept confidential.nytimes.com
Heartbleed is a serious security threat that has the potential to expose users' private information, including passwords, financial details and instant messages, among other things
How did this happen?
What happened was, two years ago there was a programming flaw put into this thing called OpenSSL, an open-source implementation of the SSL protocol. A lot of websites use OpenSSL to achieve security. What happened in these cases is that these programs are very complicated, and when things are very complex, some flaws can be missed. It may have been there all along, but it was just hidden in plain sight from the perspective of everybody else.troyhunt.com
But how could the flaw not get noticed for two years?
The Heartbeat protocol is a sub-part of SSL. Heartbeat is meant to ensure communications are kept alive. So when two people are communicating and there hasn’t been any communication for a while, it keeps the communication line alive for a bit — it keeps a session alive so it doesn’t get taken down. What would typically happen in SSL is the communication would get terminated immediately. Heartbeat is not the main part of SSL. It’s just one additional feature within SSL. And as an additional feature, it may not get as much scrutiny as the main part itself. So it’s conceivable that nobody looked at that code as carefully because it was not part of the main line.nytimes.com
You're likely affected either directly or indirectly by the bug, which is not the actual bad news. The actual bad news is that:
There's not a lot you can do about it now. It's the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take certain action.mashable.com
The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services. Secure websites — with “https” in the URL ("s" stands for secure) — make up 56% of websites, and nearly half of those sites were vulnerable to the bug. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data.mashable.com
However, there is also a good news
There isn't any indication that a hacker caught wind of this; it seems the researchers were the first to locate the problem. But the scary part is that attackers could have infiltrated these websites, extracted the information they wanted and left no trace of their presence. Thus, it's hard to determine whether someone ever exploited the bug, or if your account information was compromised.indiatimes.com
So, what, as a user, are you supposed to do?
First, check which sites you use are affected. If you don't want to read through the long list of websites with the security flaw, the password security firm LastPass has set up a Heartbleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug and if the site has issued a patch.mashable.com
Next, change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem. However, if the site or service hasn't patched the flaw yet, there's no point to changing your password. Instead, ask the company when it expects to push out a fix to deal with Heartbleed.huffingtonpost.com
A big cause for concern is related to sites that have your sensitive information, such as Yahoo and OKCupid (most people aren't logging into NASA.gov with private data). Both companies have since issued a patch to fix the security hole, so users with accounts with those companies — including Yahoo Mail, Flickr and so on — should update their passwords immediately.mashable.com
Facebook and Twitter use OpenSSL web servers, though it's still unclear whether or not they were vulnerable to the issue. Facebook reportedly issued a security patch, as did Google. Other websites that have issued an OpenSSL software security update include WordPress, Amazon Web Services and Akamai. Some websites not considered vulnerable include AOL, Foursquare and Evernote, among others.huffingtonpost.com
Make sure to keep an eye on sensitive online accounts, especially banking and email, for suspicious activity for the next week or so.mashable.com
At this point, it isn't clear which sites have been affected and no one is certain if hackers were aware of the bug prior to the outbreak
Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you'll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn't already compromised, but there's no indication that hackers knew about the exploit before this week.mashable.com
REMEMBER: Changing your password regularly is always a good practice