About the “Heartbleed” Bug
The “Heartbleed” Bug (aka CVE-2014-0160) is a security vulnerability loophole that has affected the security of many, many mainstream sites on the web that use specific versions of OpenSSL encryption. OpenSSL is an open-source, widespread encryption method used to encrypt website data transfers, and the Heartbleed vulnerability has left many OpenSSL-encrypted sites open to potential hackers. One should note that most financial sites use proprietary encryption methods and not OpenSSL, so this situation has not affected most banking or credit card sites. This OpenSSL vulnerability means that your user names, passwords, and credit card information on affected sites may have been compromised.
Here’s what to do:
- Read this entire post, and change your passwords immediately for the sites listed at the bottom of this post, under the heading “Change the following passwords immediately.”
- Don’t panic, and stay informed. Find links to informational material below. Just like fraud on credit cards, which has happened to most of us at some point over the years, we have to start from where we find ourselves and implement best practices for the present and the future.
- Keep a close eye on financial statements this month. Look over your bank account and credit card account statements closely, and follow up with any questionable charges. We should be doing this anyway — this is a good time to start the habit if we we have gotten a little complacent. You could check your recent transactions list now.
- Change your usernames and passwords on all sites that have been affected, but do so ONLY AFTER you have confirmed the site in question has updated their OpenSSL to a secure version. If you change your password before the site has closed the OpenSSL loophole, you may be giving a hacker your new password. Check Cnet.com’s list of sites that have patched the loophole by clicking here or Mashable.com’s list here.
- Use different passwords for each site. I know this is a pain, but we simply must no longer use a single password for all sites. It’s just too risky. To help with this, we should all… (see the next item)
- Seriously consider using a password manager. The best in the business for Mac and iOS is 1Password, and everyone really should consider investing in it, especially as it’s 50% off right now. Check it out here: https://agilebits.com/onepassword. Built into Mac OS X 10.9 Mavericks and iOS 7.0.3+ is Apple’s secure iCloud Keychain password manager (click here for information about it and help setting it up). It works well with Safari on Mac and iOS, but not with other browsers, and it holds only passwords and credit card information, not secure notes or other information (e.g. software serial numbers) like 1Password and other more robust password managers can. At the very least, everyone should use iCloud Keychain, and use Apple’s suggested randomly generated passwords rather than re-using a single user-determined password.
Change the following passwords immediately — stop what you are doing and do this NOW:
Below is a short-list of popular sites on which you should change your password right away. This is NOT a complete list of affected sites, it is just my short-hand reminder of some of the most popular sites you should address immediately — these sites have patched the loophole and are ready for us to change our passwords on now. Click here to check a live-updated list from cnet.com or here for Masable.com’s list (also linked to above) for updated information. But again, address these sites/accounts immediately:
- gmail / google account