On April 7, 2014, news spread of a major encryption flaw known as the Heartbleed bug. While it sounds like something you’d get after a bad breakup, Heartbleed has already been called one of the biggest internet threats in history.
What Does This Mean?
The Heartbleed bug is not a virus or malware. It’s a programming flaw in encryption software that many websites use to protect your sensitive information. This means that someone with the ability to access a site through this vulnerability could potentially access your account information and anything that would be protected by the affected encryption software.
If a site has been affected by the Heartbleed bug, it means that user account information has potentially been left exposed over the past two years. This includes user names, passwords, credit card information and more.
What’s the Non-Techy Explanation?
Think of Heartbleed like a broken fence board. The fence is there to protect your property (like encryption software exists to protect your personal information online), but with the missing board, those with the intent and skill to get into your yard to access your property can. The missing fence board leaves your property sitting there exposed, just like Heartbleed leaves your personal information exposed.
The good news is that not every site uses the affected software (just like your neighbors have more secure fences than you do). Additionally, many of those sites that do use the affected software have applied patches to fix this vulnerability (just like you can replace the broken fence board to secure your fence once again).
Does This Affect Me?
Most likely there’s a very good chance that you have been affected. Some of the most popular sites we use on a regular basis have been affected (list below).
How Did This Happen?
Even if you don’t know much about computers and the internet, chances are you’ve heard the term SSL in regards to securing sites and encrypting data on many sites that use passwords and have sensitive information. The Heartbleed bug is a vulnerability in certain types of SSL that allows anyone on the internet with the knowledge of how to access this vulnerability to read the memory of any systems using this type of SSL. Attackers can gain access to content that is thought to be secure, but exposed by this bug, and they can eavesdrop, steal data and impersonate users and services.
What Sites Have Been Affected?
The following popular sites have reported having been affected by the Heartbleed bug:
- Amazon Web Services (for website operators, not the main Amazon sites)
- Intuit (TurboTax)
- Yahoo Mail
The following sites have reported possibly being affected by the Heartbleed bug:
- H&R Block
- Healthcare .gov
Click here to see a list of 10,000+ sites that have been checked for the Heartbleed vulnerability. Please note sites listed as vulnerable may no longer be vulnerable, but were at the time of testing. Click here to view the top 100 sites and see if they have patched the Heartbleed bug.
The following sites have reported NOT being affected by the Heartbleed bug:
1040.com, Amazon, AOL, Bank of America, Capital One, Chase, E*Trade, Evernote, Fidelity, FileYour Taxes.com, Hotmail/Outlook, LinkedIn, Microsoft, PayPal, PNC, Schwab, Scottrade, Spark Networks (JDate, Christian Mingle), Target, TD Ameritrade, TD Bank, U.S. Bank and Wells Fargo.
What Do I Need to Do?
While it’s a good general practice to change your passwords every couple of months, now is a really good time to change your passwords again, especially if you use any of the sites that were affected. Keep in mind, however, if a site has not yet fixed the problem on their end, your information can still be vulnerable regardless if you changed your password or not. Chances are, by the time you read this article, any affected sites will have been patched and no longer vulnerable.
How Do I Know if a Site Has Patched Their Vulnerability?
The good news is that patches exist for all of the sites listed on the affected list above and some exist for the possibly affected sites above. Additionally, some sites use multiple types of encryption so even if they were affected by Heartbleed, they were protected by additional encryption. Most sites have already patched the vulnerability and those who haven’t are currently in the process of fixing it.
Where Can I Get More Information About the Heartbleed Bug?
Check out the following:
- The Heartbleed Hit List: The Passwords You Need to Change Right Now
- The Heartbleed Bug
- Which sites have patched the Heartbleed bug?