This is a post to help people learn more about the Heartbleed bug. Please share this post and pass it on!
Important Facts on Heartbleed
What is it Heartbleed?
- The Heartbleed bug is major security flaw that has been discovered in OpenSSL, a popular open source data encryption software, that exposes massive amounts of private user data stored on servers by websites to potential hacking.
- The new vulnerability could allow attackers to access users’ passwords and other sensitive data, and trick them into using fake versions of web sites.
- The Heartbleed bug is a programming error that allows someone to send a packet of data or “heartbeat” that imitates the encrypted data (information that has been scrambled so that it is only readable by the intended recipient’s computer), which can then fool the computer into sending back important stored data.
Who could be vulnerable to Heartbleed?
- Most people are likely to be vulnerable either directly or indirectly because of the wide variety of websites and apps that we use frequently, though this doesn’t necessarily mean that your personal data has been accessed or exploited.
- Many different websites including popular social sites, email sites, company sites, commercial sites, hobby sites or even government sites. You can check a website to see if it has been affected.
What are some important points?
- The Heartbleed bug will require major changes to websites, as well as the need for users to change passwords used on most websites we use on a daily basis.
- Avoid logging into accounts on affected sites until you have been informed that the company has fixed the problem.
- Security experts advise against immediately changing passwords until a website has confirmed a fix as further activity on a site could worsen the problem or expose users to hacking.
Who has been affected already by Heartbleed?
- The problem may be affecting as many as 500,000 servers, used by many of the popular websites we use daily including Yahoo, Tumblr, Flickr, OKCupid, and many more.
- Sites including Google, Twitter, Facebook, Dropbox and Microsoft do not seem to be affected as of now.
How many people have been affected?
- If hackers exploit the Heartbeat bug it doesn’t leave a trace of any abnormal activity, so it is difficult to know exactly how many people have been affected.
- Considering OpenSSL is used by many websites that we use on a daily basis whose encryptions may not have been updated for years, there’s a good chance that many people are vulnerable and a good number affected.
What do you do if you have been affected?
- While you may not know if you have been affected right away, there are a number of steps you can take to help prevent infection and to protect your data if it has been accessed.
- Do not log into accounts that have been affected and in general minimize web use as much as possible for the next few days as patches are installed.
- Keep a close eye on bank statements and credit card information for the next week to look for any unfamiliar charges and report any suspicious activity to your financial institution.
- When you have received confirmation from a website that the bug has been fixed, change the passwords of sensitive accounts, especially banks and emails first.
- Contact companies and websites that have your data, especially smaller ones, to find out what steps they are taking to fix the bug and protect your data.
What are top resources for the Heartbleed bug?
- Learn more about the details and updates about the Heartbleed Bug from http://heartbleed.com/.
- Check to see if a website is affected with this tester: http://filippo.io/Heartbleed/.
- LastPass is another resource for checking a websites vulnerability: http://www.cnet.com/news/lastpass-checks-sites-for-heartbleed-automatically/
Other key points on Heartbleed?
- Consider implementing two-step password verification where possible, which sends a secondary password to a different device as an added security measure.
- Look into using a password manager for your accounts, which generates randomized passwords frequently, which reduces chances of exposure to security threats and relieves you of having to memorize increasingly complex and changing passwords.
- Take care with what information you store and share online, be extremely cautious if any individual or website asks for private data and keep your personal information as secure as possible.
- Clear the cookies and browsing history from your computer now and frequently, to minimize accessibility of personal data.
- Encourage websites that you use for work or leisure to implement two-step verification and other security measures to protect your data.