Heartbleed is the latest virus/hack issue to trend across the webisphere.
It is a security flaw which takes the form of a bug in a piece of software called OpenSSL. This software is used to encrypt communications between your computer and the web server of many of the secure sites that we log into. The BBC describes it as “a sort of secret handshake at the beginning of a secure conversation” – which made me chuckle.
But it’s a very serious business! SSL is the encryption tool used by around two-thirds of all websites on the internet and around half a million sites are believed to have been affected. You can tell by the URL which starts https rather than http or you may see a little padlock symbol in your browser.
The first advice was to change all your passwords immediately.
But then it became apparent that doing that would not solve the problem unless the site involved had actually implemented a patch to protect their system.
The advice now is to wait until you receive a notification from these sites to change your password. However, some sites still do not believe that is necessary but my judgement is that if there is an issue, you should protect yourself and make a change.
Which sites have been affected?
Mashable published a helpful list of sites that have been affected in the US
And The Telegraph gives a list for the UK.
Is my UK bank affected by Heartbleed?
From their article, it does not look as if the Government website or any of the main banks has been affected. Many UK banks have added a notification to the front page of their website to say that they have not been affected. If in doubt about your bank, you can now go check it out yourself.
Should I change my social media passwords?
Social media sites affected are Facebook, Instagram, Pinterest and Tumblr. Click on the relevant link to find out how to change your password.
LinkedIn say they are unaffected but it is not clear about Twitter.
Flickr, Soundcould and YouTube are affected.
Anyone who uses Dropbox is also affected but Evernote and SpiderOak are not.
Amazon, Apple and Microsoft are not affected but Yahoo and Google are.
You do not need to change your passwords on AOL, Hotmail or Outlook but Gmail and Yahoo Mail are affected.
Whilst the Amazon store is not affected, anyone with Amazon Web Services will need to change their password.
eBay, Groupon and Paypal are not affected but GoDaddy is.
It is not clear whether WordPress has been affected.
Should I change my Google password
Although both Google and gmail have been affected, a source at Google told the BBC that it was not necessary for Google users to change their passwords as the company had patched the vulnerability ahead of the exploit being made public and did not believe that it had been widely used by hackers.
I leave that up to you but, bearing in mind that one password controls so many Google properties, it would be wise to get into the habit of changing this password regularly anyway. And change it to something secure! Read more about creating a secure password here.
How can I remember all these passwords?
One piece of software that was not affected by Heartbleed is KeePass. They do not use OpenSSL, the software involved in the flaw. What they do do is keep all your passwords together, secure under one main password. This means that you can access everything in one place. You can click a button to have the login page open and another to have the details automatically typed in.
The BBC are reporting that as a direct result of the Heartbleed vulnerability Mumsnet has been hacked. They report the following
Mumsnet – which says it has 1.5 million registered members – said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.
The Canada Revenue Agency said that 900 people’s social insurance numbers had been stolen.
So it’s time to change your password. Make sure you use different passwords rather than one general and ensure it’s safe. Include capital and regular letters, numbers and symbols.
WordPress.com was vulnerable
WordPress.com have issued some advice about the implications of Heartbleed for their users. WordPress was using the latest OpenSSL version, which was vulnerable but have patched the problem. In terms of changing your password they say
Will you be forcing me to reset my WordPress.com password?
At this time, we will not be forcing you to change your password.
Should I change my WordPress.com password?
If you want to, you are welcome to change your password. If you are using the same password other places on the Internet, we urge you to change your password and remind you to use unique passwords wherever possible.