Heartbleed Bug: Change Your Passwords Now

Author: Rachel Durkan Category: B2B, B2C, E-commerce & Retail, Nonprofit, Social Media & Digital, Web Design Date: April 10, 2014

I felt compelled to tell you about the Heartbleed Bug that has been dubbed one of the “biggest security threats the Internet has ever seen.” That sounds serious enough to tell you about it. This “bug” has affected many popular websites, like the ones that you use on a daily basis. Google. Facebook. You know, the big guys. If you have any sensitive information (passwords, credit card information), then there is a chance it could have been compromised.

Now, I’m not saying that these sites have absolutely been affected, but what’s the effort to change a few passwords vs. risk losing your credit card information to some whack-jobs?

Thank you to Mashable for reaching out to some of these large companies to find out whether they were affected. Some of the companies already updated their servers with a security patch and fixed the issue. This means you should go and change your password immediately. 

Which websites should you absolutely change your password for:

1. Facebook, Unclear whether they were affected. “We added protections for Facebook’s implementation of OPenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to…set up a unique password.”

2. Tumblr, affected. “We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.”

3. Google, affected. “We have assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine were affected; Google Chrome and Chrome OS were not.

4. Yahoo, affected. “As soon as we became aware of the issue, we began working to fix it…and we are working to implement the fix across the rest of our sites right now.” Yahoo Homepage, SEarch, Mail, Finance, Sports, Food, Tech, Flickr, and Tumblr were patched.

5. Gmail, affected. “Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.”

6. Yahoo Mail, affected.

7. Amazon Web Services, affected. Most services were unaffected or Amazon was already able to apply mitigations. Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront were patched.

8. GoDaddy, affected. “We’ve been updating GoDaddy services that use the affected OpenSSL version.”

9. Intuit (TurboTax), affected. TurboTax “has examined its systems and has secured TurboTax to protect against the “Heartbleed” bug.”

10. Dropbox, affected. “We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.”

11. LastPass, affected. “Though LastPass employes OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.”

12. OKCupid, affected. “We, like most of the Internet, were stunned that such a serious bug has existed for so long and was so widespread.”

13. SoundCloud, affected. “We will be signing out everyone from their SoundCloud accounts…and when you sign back in, the fixed we’ve already put in place will take effect.”

14. Wunderlist, affected. “You’ll have to simply log back into Wunderlist. We also strongly recommend that you reset your password for Wunderlist.”

For the full list, and to see which websites were also approached by Mashable, you could check out their article here. 

My best advice to you, is, change your password because you’re better safe than sorry. And, make it a habit to change your password every 30-90 days depending on the sensitivity of the information on the website. (a TurboTax might be a little more sensitive than an OKCupid. Just saying.)