The estimated reading time for this post is 4 minutes
If you’ve been paying attention to tech news this week you’ve probably heard about Heartbleed, the security flaw that has widespread implications across the Internet. Chances are if you’re on the Internet you’ve been on a website that has been affected by Heartbleed.
You need to know what Heartbleed is and what you should do to protect yourself.
What Is Heartbleed?
Heartbleed is a security flaw that allows hackers to infiltrate websites to get information from those sites. The flaw is in software that was designed to make certain websites secure, but the Heartbleed bug allows hackers to access information from within websites.
This vulnerability means that information you may have entered into an affected website, such as user names, passwords, emails, and credit card numbers, could have been exposed to hackers. The Heartbleed flaw existed for over two years before it was recently discovered.
The Wall Street Journal is reporting that the Heartbleed bug has also been found in routers and other networking equipment. See, Heartbleed Bug Found in Cisco Routers, Juniper Gear.
Security expert Bruce Schneier explains the gravity of the situation in his Heartbleed blog post: “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
Why Is Heartbleed So Important?
Heartbleed affects websites that were supposed to be safe, those with SSL security certificates. Browsing the Web, you can see which sites have SSL security certificates when your see https:// instead of http:// before the URL (the URL is the web address of a site, such as wonderoftech.com). HTTPS was designed to show the safety of a website so that those surfing the Internet would be able to identify websites that were secure.
Because of Heartbleed, HTTPS no longer gives reliable assurance of the safety of a website.
See, How to Shop Online With Added Security for more information about HTTPS websites.
Note that there have been no reports of any data being stolen using the flaw but that doesn’t mean that no information was taken. Think of Heartbleed as if you installed a heavy-duty padlock on the front door of your home then arrived home from a trip and discovered that your back door was unlocked. The difference with Heartbleed is that you can’t check your stuff to see whether anything is missing.
Which Sites Are Affected?
The list of websites vulnerable to Heartbleed is long and includes major sites such as Google, Yahoo, Facebook, Instagram, Pinterest, Tumblr and many more. An estimated 2/3 of websites have been affected. According to InfoWorld, “Canada’s online tax filing services had to be shut down completely in the wake of Heartbleed, leaving filers out in the cold right before their tax deadlines.”
How can you tell if a website is vulnerable to Heartbleed? You can check to see if a website has been affected at http://filippo.io/Heartbleed/.
Which Sites Are Not Affected
The good news is that not all websites were affected by Heartbleed. According to Mashable, unaffected sites include amazon.com, Target, Microsoft, AOL, PayPal, Wells Fargo, Walmart, Nordstrom, Bank of America, Chase, Capital One and others.
See, The Wall Street Journal, U.S. Regulators Tell Banks to Plug ‘HeartBleed’ Security Hole
What to Do to Protect Yourself
Check to see if affected websites where you have accounts have been patched. Once they have been, be sure to change your password. Keep an eye on your credit card and bank statements for any unusual activity.
If you use LastPass password protection service, check out their Heartbleed blog post to find out how LastPass can help you monitor your online accounts. If you weren’t using LastPass already, signing up now won’t help you monitor your accounts for Heartbleed vulnerabilities.
What Not to Do
→ Don’t change your password on an affected site until you know the issue has been fixed. If you change your password before the bug has been patched you will be vulnerable to your new password being stolen just as easily as your old password could have been.
Mashable has a list of the major websites that have been affected and shows which of them have fixed the problem: The Heartbleed Hit List: The Passwords You Need to Change Right Now.
→ Don’t click on a link in an email to change your password. Hackers will exploit Heartbleed to send out spam emails phishing for your user names and passwords. If you get an email suggesting that you change your password, go to the website directly by typing the URL into the address bar of your browser.
You can find out more information from heartbleed.com
Your Thoughts
Had you heard the news about Heartbleed? What steps have you taken to protect yourself? Does this make you less confident about using the Internet? Share your thoughts in the Comments section below!
HI Carolyn,
Informative post indeed 🙂
I hadn’t even heard of the term Heartbleed till yesterday, when I read Kim’s post about it, though I didn’t have a chance to read it fully as I was catching up with pending comments (it’s still lying in my RSS to be read!), but I just scanned through and then I learnt all the details.
However, you explained it all SO well, just as you always do, which makes it much easy for us to understand things related to the latest tech or other such issues. Yes, security is of major concern to all of us, and we need to be careful of such hackers by taking measures, just as you mentioned in the end.
I haven’t as yet come across any site that’s asked me for the password, and if it happens, I’m going to do just what you mentioned 🙂
Thanks for sharing this with us. Have a nice weekend 🙂
Hi Harleena, Yes, Heartbleed has been big news in the tech world this week and I was working on this article when I got Kim Castleberry’s email. Definitely take the time to read what she has to say. Her information is very helpful for website owners.
I have been getting emails from websites requesting that I change my password. But it is important not to click on the link in the email because of phishing. Instead type the URL in the address bar of your browser then change your password.
These types of articles are my least favorite to write but are perhaps the most important ones for people to read. Thanks so much for sharing this widely, Harleena.
Hi Carolyn,
So far Pinterest is the only account that demanded me to change my password. I did right away on my primary account. Then today I tried to change the pw on my work account and I got a message that said, the link in the email expired after 24 hours.
I requested a new reset link hours ago and it still hasn’t arrived. Kind of annoying because I do a lot of pinning on Friday morning for that account and looks like that’s not going to happen.
Thanks for all the links and resources!
Hi Ileane, Your comment concerns me. You should be able to go into Pinterest directly and change the password of your account. You should not have to click on a link in an email to change your password.
Maybe you were emailed a link to reset your password because you forgot what your password was for Pinterest and they sent you a link to reset your password and that link expired?
I hope you are able to get this sorted soon, Ileane.
I am pretty amazed that sites like facebook will be affected will it be really true???????
Hi Dipraj, Welcome to The Wonder of Tech! Yes, it’s true. 2/3 of Internet servers use the SSL certificates that contain the bug. That’s why major sites such as Facebook, Google and Yahoo were affected. The impact of Heartbleed is extremely broad which is why nearly everyone who uses the Internet is affected by Heartbleed.
Thanks! for it now my idea is crystal clear.
That’s great news, Dipraj. Thanks so much for stopping back by and letting us know.
Hi Carolyn,
You know, when I heard the news about Heartbleed, I know you’ll make article about this. And it seems I’m correct 😀
I am still grateful that PayPal is not affected Heartbleed 🙂
In this article, you said do not click on the email to change the password. Honestly, I have clicked on an email from Pinterest that told me to change my password, and now my password has been changed. Then, what will happen, Carolyn?
Thanks for sharing this informative article, Carolyn.
Nice info!
Regards,
Nanda
Hi Nanda, Yes, I would rather write about fun and exciting technology but this news about Heartbleed was so important that I wanted to share it with Wonder of Tech readers.
The email from Pinterest might have been legitimate, Nanda. To be sure you can go to the Pinterest website directly by typing pinterest.com in the address bar and change your password again. That way you have more assurance that you are changing your password safely.
I am not sure how a person could miss heart bleed…it’s all over the web! Can’t do a single thing without seeing a share, a post or anything about Heart bleed.
I didn’t pay much attention to it (I did hear that it was a vulnerability). Took some time to discover it, huh?
Wow, so many sites being vulnerable (luckily, not a lot of people knew about this vulnerability, right? Who discovered it anyways?).
I haven’t changed my password (Just did it a few months back…seems like I have to do it all again!).
I do use Last pass, but I also like to remember my password (especially the big sites such as Facebook), just in case.
Oh, well. I am just going to ask Last pass to generate random passwords…let’s see how that goes 😀
Anyways, thank you for sharing the news, Carolyn 🙂 Appreciate it!
Hi Jeevan, That’s great that you already use LastPass! Changing your passwords will be much easier then.
Great question. Heartbleed was discovered both by a Google engineer and a Finnish Internet security firm. You can read more about the discovery in this article: How Codenomicon Found The Heartbleed Bug Now Plaguing The Internet http://readwrite.com/2014/04/13/heartbleed-security-codenomicon-discovery#awesm=~oBrlNRwJJTHibH
Good luck with changing your passwords, Jeevan!
It was a surprice for everybody. Pretty uncommon to find a bug in OpenSSL, practivally nearly all web server runs with it.
Hi Kaloyan, You’re right, one estimate was that 2/3 of the servers in the world use SSL which is exactly why it’s important to take Heartbleed very seriously.
Hello Carolyn,
First of all thanks for sharing much informative post today, I too just came to know about Heartbleed and I guess I’m gonna need to check all my accounts once.
Thanks
Hi Samir, You’re right, it’s a two-step process. First see which accounts have been affected and then see which ones have fixed the issue. Only when that has been done should you change your password.
Thanks for sharing about heartbleed as I didn’t know there is something hell going on the internet right now like this one.
Hi Ragib, Yes, Heartbleed has been all over the news but it’s very confusing which is why I wanted to cover it here at The Wonder of Tech. I’m glad you found this article to be helpful.
This is indeed great information on Heartbleed. I had been seeing it pop up on my lastpass account but never bothered reading the warning until now. Hopefully it’s not too late for me.
Hi Bill, Welcome to The Wonder of Tech! I’m glad you’re going to take Heartbleed seriously now. Great that you have LastPass. Make good use of it in changing the passwords you need to.
I have no idea whether it’s too late for any of us, Bill. There aren’t any reports yet of any hackers retrieving information using the Heartbleed flaw but we can’t know for sure what has been compromised. We may never know how widespread the effects of Heartbleed are.
Now that is really scary. At the same time this will be painful in the users’ part, specially if you have multiple accounts and use different passwords for each account. Setting new passwords to each accounts is very time consuming. But how will we know if the new password wasn’t exposed or compromised? I use strong passwords for my accounts usually 12 to 16 characters. No wonder why its called the heartbleed bug. damn and all this time we though using SSL are safe.
Hi Peter, Welcome to The Wonder of Tech! Great question. SSL certificates were designed to give us assurance that websites were safe. Now we know that no website is 100% safe, even with SSL certificates.
Go to the affected website to see if they’ve fixed the problem. Only then should you change your password.
Heartbleed is infact the most dangerous security flaw till date. As it can broke https security. But i think sometimes people get so freaked out by getting the information from the internet. They keep n changing the password of all their accounts. I think that might not be the solution.
Hi Peter, You’re exactly right, this flaw is the ultimate in dangerous because it affected websites that were supposed to be certified secure. When you find out those websites are vulnerable then you have difficulty trusting that any websites are safe.
Good point. Until the websites have fixed the flaw then changing your password will offer you no extra protection. Best to check with the affected website to see if they have announced a fix.
Hi Carolyn,
I know that this was something a lot of people were totally freaking out about and I really don’t blame them. Knowing that some of our accounts could be in jeopardy from something that we have no control over nor do the site owners. I didn’t freak out myself because until further notice I knew that I shouldn’t jump the gun and start changing passwords. I did wait to find out what the next step was and for which sites.
Now seeing your list here I was told on another site that Amazon was affected so I’m not sure who is right because it was also a reputable site. Oh well, didn’t hurt to change the password anyway.
Appreciate the update, thank you so much.
~Adrienne
Hi Adrienne, Yes, there was some confusion because Amazon Web Services (Amazon’s web hosting business) was affected but Amazon.com retail site was not (according to all of the reports I read). Nevertheless, no harm in changing your password anyway, Adrienne.
Hi Carolyn,
It’s a shocking news that I am seeing lately. But thank god I read this post. It is not that I have not heard about heartbleed but the thing is I did not care about it until now.
Thanks for the info.