What You Should Know About
THE HEARTBLEED BUG!!!
An encryption flaw called the Heartbleed bug that has exposed a collection of popular websites — from Airbnb and Yahoo to NASA and OKCupid — could be one of the biggest security threats the Internet has ever seen. If you have logged into any of the affected sites over the past two years, your account information could be compromised, allowing cybercriminals to snap up your credit card information or steal your passwords.
You're likely either affected directly or indirectly by the bug, which was found by a member of Google's security team and a software firm named Codenomicon.
The bad news: There's not a lot you can do about it now. It's the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take action (see below).
The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services.
Secure websites — with “https” in the URL ("s" stands for secure) — make up 56% of websites, and nearly half of those sites were vulnerable to the bug. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data.
The good news: There isn't any indication that a hacker caught wind of this; it seems the researchers were the first to locate the problem.
But the scary part is that attackers could have infiltrated these websites, extracted the information they wanted and left no trace of their presence. Thus, it's hard to determine whether someone ever exploited the bug, or if your account information was compromised.
What to do about it...
First, check which sites you use are affected. If you don't want to read through the long list of websites with the security flaw, the password security firm LastPass has set up a Heartbleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug and if the site has issued a patch.
Next, change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem. However, if the site or service hasn't patched the flaw yet, there's no point to changing your password. Instead, ask the company when it expects to push out a fix to deal with Heartbleed.
A big cause for concern is related to sites that have your sensitive information, such as Yahoo and OKCupid (most people aren't logging into NASA.gov with private data). Both companies have since issued a patch to fix the security hole, so users with accounts with those companies — including Yahoo Mail, Flickr and so on — should update their passwords immediately.
Facebook and Twitter use OpenSSL web servers, though it's still unclear whether or not they were vulnerable to the issue. Facebook reportedly issued a security patch last week.
Other websites that have issued an OpenSSL software security update include WordPress, Amazon Web Services and Akamai. Some websites not considered vulnerable include Google, Tumblr, Foursquare and Evernote, among others.
"It's a big deal for Internet users, but especially when it comes to protecting financial information," Joe Siegrist, CEO and cofounder of LastPass, told Mashable. "Some financial organizations are using more conservative web security choices like Microsoft, which is not vulnerable to the bug, so users should check and see if their bank has been affected."
Make sure to keep an eye on sensitive online accounts, especially banking and email, for suspicious activity for the next week or so.
"Mashable." Mashable. N.p., n.d. Web. 09 Apr. 2014.