An online bug called "Heartbleed" is affecting a huge chunk of the Internet, which means that a password change is likely in order for hundreds of millions of people.
More than half a million sites are vulnerable that use the security system called Open SSL, according Netcraft, and have had to install a new security patch. Before this patch, private data on websites such as Yahoo, Google and Tumblr could have been vulnerable to hackers, experts said. This bug was discovered by a team of security engineers at tech company Codenomicon and Neel Mehta of Google Security.
Joost Bijl, a product manager with the cybersecurity firm Fox IT, said that affected websites should be letting consumers know that a fix has been installed. But, so far it does not appear that any major website besides Tumblr have reached out to consumers.
Here's what you should know about "Heartbleed" and some ways to protect yourself:
Tumblr issued a warning on Tuesday, saying the blog site has "no evidence of any breach and, like most networks, our team took immediate action to fix the issue," but users should change all their passwords.
This Is Serious
Codenomicon set up a Heartbleed info website, saying, "Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."
Codenomicon CEO David Chartier said that users on impacted websites should change their passwords, but only once the site administrators have appropriately installed the patch to fix the problem. It doesn't help to change the password if the site has not been updated, though Chartier estimated that the fix is probably already in place on most of the major websites. The problem has been around for two years and was discovered last Friday, he said.
Chartier also said their investigation shows that Open SSL is used by at least 66 percent of all servers on the Internet.
A Facebook spokesperson said the company "added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed, and we're continuing to monitor the situation closely."
"We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites," the Facebook spokesperson said.
A Google spokesperson said in an emailed statement, "The security of our users' information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited. We have assessed the SSL vulnerability and applied patches to key Google services."
They later added to their statement saying that, "The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords."
Google also posted a blog today detailing the fix for the big and pointing out that Android users are not vulnerable.
In a statement, Yahoo said, "A vulnerability, called Heartbleed, was recently identified impacting many platforms that use Open SSL, including ours."