If you’ve been keeping an eye on the news this week, you’ve no doubt heard about “Heartbleed,” a security vulnerability in one of the most popular pieces of encryption software on the web. Some security experts are describing this as the biggest security breach in Internet history. Before we start lining bunkers with concrete, let’s look at what Heartbleed is, who it affects, and what you need to do in response.
Heartbleed? What’s that?
Heartbleed is the nickname given to a security vulnerability in OpenSSL. OpenSSL is a popular online encryption library. The vulnerability allows hackers to find the secret codes that websites use to identify themselves. These codes allow hackers to translate information that a computer sends to a website. Without it, this information would appear as indecipherable gibberish.
The worst part about this vulnerability is the fact that it’s been around for two years and there’s no way to know whether it’s been used on a particular service. Security experts have only discovered and informed the public about the flaw over the past few days.
It’s unlikely that this exploit was common knowledge before. The brightest minds in online security work for large, multinational corporations, charged with keeping data safe. Still, hackers could have compromised passwords, e-mail accounts, user names, and other personally identifiable information. That’s a significant concern.
Who was affected by Heartbleed?
The biggest problem areas are Yahoo Internet services. If you use Yahoo e-mail, play Yahoo Fantasy Sports games, or use Tumblr, your password(s) may have been compromised. Some Google services, like Gmail and Google Drive, were also vulnerable. Social media sites like Twitter and Facebook may have been, too. If you filed your taxes through TurboTax or USAA, your data may have been vulnerable. The good news: Most online financial services use other modes of encryption and were not vulnerable.
The threat in this case isn’t just in the fact that someone could gain access to your e-mail. The real problem is that most people use a small collection of passwords for most services. Hackers know this and will therefore use those user names and passwords on other, more lucrative services.
What can you do about it?
Understand, first, that the odds of any one password being released through this leak is small. This is an exploit that only a small number of the brightest minds in computing could find. There is no cause for panic, and this bug does not mark the end of the Internet.
If you use one of these services, change your password, both on these services and other services where you’ve used the same password. Pick a new password that is easy to remember and strong. Follow the same good password rules you always have to keep your data safe. Whether the services you use are identified as part of this breach or not, it would be wise to go ahead and swap out the old passwords for new passwords that are, again, strong and considerably different from what you had previously used.
Developers have released a new version of OpenSSL without the vulnerability in it. There is no need to change your online behavior. The services named above have all patched their encryption software to avoid this problem. You should have no less confidence in online shopping and banking than you did last week.
In the future, it makes good security sense to use a unique password for each site or service you access. Part of the reason Heartbleed has become such a big deal is the fact that it exposed a weak link in the system. Your passwords are only as secure as the least secure means you use to store them. Using more passwords and multiple variations of them helps keep your personal information safe and secure. It avoids putting your finances in the same security system as your social media.