You may have already heard about the Heartbleed bug. Heartbleed is a bug that was found in OpenSSL, the security protocol used across much of the Internet, that could potentially allow someone to secretly install software on a third-party servers and steal passwords or other information. Many websites and Internet-based services have been potentially vulnerable. Heartbleed is not just the latest Internet chain letter. This was a serious issue and the following information may be valuable to you.
If exploited, Heartbleed could allow someone to get access to your email accounts, bank accounts, credit card numbers, files stored in the cloud, etc. In order to protect your information, affected service providers (the companies, not you as the customer) should have taken both of the following steps:
- Update/patch OpenSSL to remove the bug
- If it was at all possible at any time for Heartbleed to be exploited on the server, replace SSL certificates.
Here are some services that were potentially affected by Heartbleed, where it is recommended that you do change your passwords:
- Tumblr
- Gmail
- Youtube
- Google +
- Yahoo.com
- Yahoo mail
- Bing
- Blogspot
- LL Bean / BarclayCard
- Amazon web services (but not Amazon.com)
- Etsy
- GoDaddy
- Intuit/TurboTax
- USAA
- Box
- Dropbox
- Github
- Minecraft
- Netflix
- Salesforce.com
- Hootsuite
- AWeber
And a few sites that are not affected or where you do not need to take any action. Fortunately, many banks are on this list:
- Amazon.com
- Microsoft.com
- AOL
- Hotmail
- eBay
- Groupon
- Paypal
- Target
- Nordstrom
- Walmart
- Bank of America
- Capital One
- Chase
- Citigroup
- E*Trade
- Fidelity
- Schwab
- Scottrade
- TD Ameritrade
- US Bank
- Wells Fargo
- 1040.com
- Healthcare.gov
- TaxACT
For a much longer list, you can visit this web page:
https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
For other services, I would recommend that you contact your service provider to find out the status. Or, you can use this webpage from LastPass as a quick screening tool to check a website’s vulnerability. If status is unclear, do contact your service provider.
https://lastpass.com/heartbleed/
If a service you use could have potentially been affected, I recommend that you check with your service provider (or use the tool above), to verify that any bugs have been patched and that SSL certificates have been replaced.
After you have verified that both these steps are complete (and only after these are done), I recommend that you change your passwords with any service that you care about if there was any chance that they were affected at some point in time:
- Email accounts
- Online bank accounts
- Online credit card accounts
- Online accounts with any merchant/vendor where you have provided credit card information
If a service provider was never affected, then you do not need to change your passwords.
Yes, changing all your passwords is a pain, but the alternative could be much, much worse.
A few additional recommendations:
- Do not use the same password on two different sites. Create separate passwords for each site.
- Use strong passwords: At least 9 characters long, with a mix of upper & lower case, numerals, and special characters.
- Avoid using your name, date of birth, or words that can be found in the dictionary in your passwords.
- If you have a service that offers 2-step validation (via text message to your cell phone), enable it. It’s a pain to use but provides very good protection.
- Update your browser(s) to the most current version.
- For good measure, delete/clear your browsers’ cache, cookies, and history.
- Have fun while you’re making all these changes. Put on some music and enjoy. 🙂
Monitor your accounts closely over the next few months and follow up quickly on any strange activity. Hopefully, none of your information was compromised. However, with many services, you cannot be completely safe until after your service provider has patched their servers and certificates, and you have changed your passwords.
To your success,
Steve Johnsen