Dealing with the Heartbleed exploit: You need to change ALL of your passwords soon

by Team Mario

For years we’ve assumed that the lock icon in your browser and the letters “HTTPS” mean your Internet traffic is safe from any potential spies or snoops.

Unfortunately, with the public announcement of a new website vulnerability, known as Heartbleed, this may not necessarily have been the case for the past few years.

The end result of this is that you need to change every single one of your passwords, though perhaps not right this second. Keep reading to learn what this all means and exactly what you can do about it to stay safe.

What is Heartbleed?

“Heartbleed” refers to a vulnerability that allows hackers to access data servers running certain versions of the OpenSSL server. According to estimates, this accounts for about 17% of all current secure web servers, which means millions of websites are (or were) vulnerable, including many major sites you probably have come to rely upon.

Heartbleed was announced this past Monday, April 7th, and chances are good you’ve heard about it by now. Unfortunately, while the problem is widespread and difficult to understand, it is going to have a major impact on your online privacy and the safety of any private data. This includes email, photos, documents, credit cards… Any data that you’ve transferred to or from a website could now be in the wrong hands!

Which sites were affected?

Many major sites and services fell victim to Heartbleed, including:

  • Intuit (TurboTax)
  • GoDaddy
  • Amazon Web Services
  • Yahoo (including Email, Flickr, and more)
  • Google
  • Dropbox
  • Pinterest
  • Tumblr
  • Instagram
  • Minecraft
  • OKCupid
  • Wunderlist

However, these are only some of the sites that were vulnerable when the Heartbleed exploit was publicly announced on Monday. You have to assume that every site you’ve logged into for the last two years has been potentially affected, which means you need to change all of your passwords.

What does this mean for me?

The direct result of the Heartbleed bug is that it has been allowing attackers to get passwords as well as the keys they need to decrypt what was previously assumed to be encrypted, private data. This means we have two huge problems:

Photo by Mike (via Flickr)
Photo by Mike (via Flickr)

Problem #1 – Your Past Traffic

Your past encrypted web traffic is in trouble. This means any sensitive data you’re transferring to or are receiving from a website running OpenSSL over https (the little lock icon in your browser) is potentially not safe. At the very least, it definitely wasn’t safe earlier this week,.

Further complicating matters, any data you’ve sent over https to a server running OpenSSL from the past two years has potentially been captured by nefarious sources and they’re trying to get the private keys from these website servers so they can retroactively go back and un-encrypt and private information you previously sent.

So, if your bank was vulnerable and hackers got private keys from their server this past week, you may have just lost several years of what used to be private transaction and payment information. Unfortunately, the risk that criminals and identity thieves around the globe were sitting on a huge cache of your encrypted banking data and just waiting to get these keys is high.

While no banks have disclosed this kind of attack yet, in the coming weeks we may find out thank online banking had not been as secure as we thought.

Problem #2 – Your Passwords

Even if these criminals, identity thieves, or potential corporate spies or blackmailers don’t have a cache of your encrypted history, any websites you logged into while this vulnerability existed (past two years, but especially this past week) are at risk. This would’ve made it trivial for hackers to gain access to your accounts, meaning that you have to assume the absolute worst case scenario in order to be safe, which means you have to assume every single password you’ve ever used to log into anything has been compromised for years. Even as affected sites patch the Heartbleed vulnerability, your passwords continue to be compromised now, and those passwords absolutely have to be changed in order for you to stay safe.

These LifeHacker and NYT explanations might be good reads if you’re looking to understand more about what’s happening right now.

Photo by Domiriel (via Flickr)
Photo by Domiriel (via Flickr)

The Challenge

The big problem here is knowing when it’s safe to change your passwords so you can best protect whatever online privacy you still have left.

For instance, it’s a good idea and safe to change Gmail password right now. But if you were to, say, change your eBay password right this second you can assume that someone will immediately gain access to not just your eBay account but also PayPal and anything else that’s connected or that you use the same password for. This will probably be automated and happen in the blink of an eye, and they’ll continue to have access until both of these conditions are satisfied:

(a) you change your password again and
(b) the server in question is no longer vulnerable

OK so the big question is, which sites are safe to log into (so you can change your password there ASAP) and which aren’t safe to log into yet?

vulnerable heartbleed banking screenshot

How do I find out if a site is still affected?

The way to check is to type the server address into this test site:

http://filippo.io/Heartbleed/

Try every site multiple times though, and make sure you don’t just try say yourbank.com but the actual URL of the site where you log in with the padlock (which might be say, access.bankingsite.otherthing.com).

The Heartbleed checker itself has been overloaded this week and has been returning false negatives at times (saying sites are OK when they aren’t, but never the other way around). However, repeated tests that check out OK are a good indication the server in question is OK.

Do this for every site you log into with a padlock on it, and test the site BEFORE you try to login, ESPECIALLY any banks or financial institutions and any sites or services where your credit card info is stored also.

Is there an easy fix?

Unfortunately, no. You have to change all of your passwords, and you can only do it when sites have fixed this vulnerability. Many sites are now patched, but millions of websites worldwide are still vulnerable, and if you try to log in now and change your password you’ll just be revealing that password to would-be attackers.

Related: Watch Mario Armstrong discussing what makes a good password on CNN

One way to handle all of this might be to pay $12 to LastPass for a year of their pro service—their security monitoring system will actually tell you when it’s safe to log into compromised sites again and change your password safely (read their blog post about Heartbleed security to learn why).

LastPass will generate strong passwords for you, as well as remember and save them all, but now you’re handing over all of your passwords to a third party. That makes it easier to change all of your passwords and saves you from having to memorize dozens of new, complex passwords. But it also means that a hacker need only gain access to your LastPass account in order to gain access to your entire digital life.

What if you don’t use a computer?

While websites are the most obvious and vulnerable target for the Heartbleed exploit, this isn’t just a web problem. Any apps or services you only use on your iPhone, Android, Windows Mobile or Blackberry device are equally susceptible. This is because while these apps may not have actual websites, many use HTTPS to transfer encrypted or private data.

This issue is serious and complicated, and we’ll probably be discussing the security implications of Heartbleed for years. If you have specific questions or concerns, don’t hesitate to hit me up in the comments below and I’ll be sure to get back to you.

This is a guest post by Shy Mukerjee, the Managing Editor of Mario Armstrong Media