'Heartbleed' Online Bug: How to Protect Yourself
Why this bug affecting hundreds of millions of people should be taken seriously.
April 9, 2014 -- An online bug called "Heartbleed" is affecting a huge chunk of the Internet, which means that a password change is likely in order for hundreds of millions of people.
More than half a million sites are vulnerable that use the security system called Open SSL, according Netcraft, and have had to install a new security patch. Before this patch, private data on websites such as Yahoo, Google and Tumblr could have been vulnerable to hackers, experts said. This bug was discovered by a team of security engineers at tech company Codenomicon and Neel Mehta of Google Security.
Joost Bijl, a product manager with the cybersecurity firm Fox IT, said that affected websites should be letting consumers know that a fix has been installed. But, so far it does not appear that any major website besides Tumblr have reached out to consumers.
Here's what you should know about "Heartbleed" and some ways to protect yourself:
Tumblr
Tumblr issued a warning on Tuesday, saying the blog site has "no evidence of any breach and, like most networks, our team took immediate action to fix the issue," but users should change all their passwords.
This Is Serious
Codenomicon set up a Heartbleed info website, saying, "Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."
Codenomicon CEO David Chartier said that users on impacted websites should change their passwords, but only once the site administrators have appropriately installed the patch to fix the problem. It doesn't help to change the password if the site has not been updated, though Chartier estimated that the fix is probably already in place on most of the major websites. The problem has been around for two years and was discovered last Friday, he said.
Chartier also said their investigation shows that Open SSL is used by at least 66 percent of all servers on the Internet.
A Facebook spokesperson said the company "added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed, and we're continuing to monitor the situation closely."
"We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites," the Facebook spokesperson said.
A Google spokesperson said in an emailed statement, "The security of our users' information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited. We have assessed the SSL vulnerability and applied patches to key Google services."
They later added to their statement saying that, "The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords."
Google also posted a blog today detailing the fix for the big and pointing out that Android users are not vulnerable.
Yahoo
In a statement, Yahoo said, "A vulnerability, called Heartbleed, was recently identified impacting many platforms that use Open SSL, including ours."
The company said it has "successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."
Beware
Mark McCurley, senior information security advisor at Identity Theft 911, said Lastpass.com/heartbleed can help you check to see if a site is vulnerable. You can also ask the company or website if they have fixed potential flaws, then update to a strong password, using numbers, upper case, lower case and symbols, McCurley said.
People should also be wary of phishing emails that trick you into revealing your passwords to scammers.
Main Takeaways From an Expert
Security expert Brian Krebs, who broke the news of Target's massive security breach last year, said hundreds of millions of users are impacted by this problem. He offered three main takeaways:
• This highlights the danger of using the same password over and over again for all your sites.
• Using same username and same password on multiple sites that hold valuable information is a bad idea.
• For banking and email you should have different usernames and passwords.
And Lastly ...
Krebs advised people on Tuesday to avoid logging into sites that have critical personal information. It's never a bad idea to change passwords for important services and sites, he said.
ABC News' Sandy Cannold and Susanna Kim contributed to this report.