Retailers Sending Mixed Messages in Wake of 'Heartbleed' Bug Scare

Most sites claim your password is safe, but others say "better safe than sorry."

ByABC News
April 10, 2014, 11:19 AM

April, 10, 2014— -- The dreaded "Heartbleed" bug has prompted security experts to warn that information on approximately half a million websites may be vulnerable to hacking, but most companies are still standing by their statements that customer information is safe, including retailer Target, which was the subject of a massive data hack reported last November.

Read More: 'Heartbleed' Online Bug: How to Protect Yourself

The contradictory tone of alarm and re-assurance has led to a patchwork of advice from online retailers and other companies with a major Web presence.

Department store Neiman Marcus, the subject of another recent security breach, did not immediately respond to's request for comment.

Read More: Hackers Steal Credit Card Data From Neiman Marcus Customers

Adam Levin, co-founder and chairman of IDentity Theft 911, said passwords do have to be changed, but if you do so, the timing counts.

"First, find out site by site what they're doing to get the site protected –- you can do this by seeing if they've issued a public statement or contact them directly. Once the problem is solved, then change your password –- make each new password unique and hard to crack," Levin said. "With any type of exposure, be extra careful of cyber thieves that look to harp on news to take advantage of consumers. Be cautious of shared links and news about the bug."

Here's what Target and other sites are saying about how they fixed potential vulnerabilities in their system:


Molly Snyder, a spokeswoman for Target, said the company launched a "comprehensive review of all external facing aspects of" on Tuesday.

"Based on our findings, we do not currently believe that any external-facing aspects of our sites are impacted by the OpenSSL vulnerability," Snyder reiterated on today.

OpenSSL is a protocol that is supposed to keep Web communication secure.


Ryan Moore, a spokesman for eBay, said, "eBay is aware of the security vulnerability identified in a version of OpenSSL, also known as the Heartbleed Bug. The vast majority of our services were not impacted and our users can continue to shop securely on our marketplace. Consumer safety is our top priority, and we will continue to monitor this bug to ensure our users remain protected."

The company told customers on Thursday: "1. Your Marketplaces account is secure

2. Your Marketplaces account details were not exposed in the past and remain secure

3. You do not need to take any additional action to safeguard your information

4. There is no need to change your password."

"While we always advise our customers to be cautious and aware of the security of their personal accounts, in this case we want to reassure you there is no need to be unduly concerned," eBay said in its statement. "When you login to eBay using your user name and password these details were not exposed to the OpenSSL vulnerability."


A Facebook spokesperson said on Wednesday that the company "added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed, and we're continuing to monitor the situation closely."

"We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites," the Facebook spokesperson said.


Ty Rogers, a spokesman for Amazon, said in an emailed statement that the company's website "is not affected" by the Heartbleed bug.


A Google spokesperson said in an emailed statement, "The security of our users' information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited. We have assessed the SSL vulnerability and applied patches to key Google services."

A Google spokesman confirmed today the company statement, which contradicts advice from Mashable.

"The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords," the Google spokesman said.

Google also posted a blog on Wednesday detailing the fix for the bug and pointing out that Android users are not vulnerable.

In general, Google advises users to pick strong passwords that are different for each of your important accounts and it is good practice to update your passwords regularly. The firm also recommends turning on two-step verification, which provides a stronger layer of sign-in security. Even if your password gets stolen, it's not enough to access your account, the company said.


In a statement on Wednesday, Yahoo said, "A vulnerability, called Heartbleed, was recently identified impacting many platforms that use OpenSSL, including ours."

The company said it has "successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."


A spokeswoman for Intuit, which owns the popular tax preparation program TurboTax, said the company is "not proactively recommending" that customers update their online passwords but "it is always good practice to regularly update" them.


Tumblr issued a warning Tuesday, saying the blog site has "no evidence of any breach and, like most networks, our team took immediate action to fix the issue," but users should change all their passwords.


A statement from a Netflix spokesman said, "Like many companies, we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact. It’s a good practice to change passwords from time to time, and now would be a good time to think about doing so. We have additional security guidelines on our site at"

ABC News' Zunaira Zaki contributed to this report.