Skip to main content

Web users advised to change all their passwords due to 'Heartbleed' bug


Internet security teams have discovered a major bug that has exposed millions of passwords, credit card numbers and other sensitive information to computer hackers, and the bug has gone undetected for more than two years, the Associated Press reports.

The "Heartbleed" bug makes it possible for hackers to retrieve code from websites and other online services that would give them access to that information. The bug affects services that use the widely popular OpenSSL security library, according to the Los Angeles Times.

SSL/TLS is an encryption technology which is indicated by a small, closed padlock and "https:" on Web browsers that signal a secure connection. The Heartbleed bug affects only one version of OpenSSL, which is an open-source version of that technology. But that version is used by roughly two-thirds of all web servers, according to the Associated Press.

Heartbleed makes it possible for hackers to snoop on Internet traffic even if the padlock is closed. They could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.

Following the discovery of Heartbleed, Tumblr posted a message to all its users encouraging them to change the passwords for all of their online accounts.

"The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said.

A fix for the bug has been issued, but because the affected version of OpenSSL has been around for two years, it's impossible to know whether hackers have been taking advantage of the weakness all this time, said the Times.

"This might be a good day to call in sick and take some time to change your passwords everywhere -- especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," Tumblr said.

But there's another problem with the timing. Because each web service will have to manually fix the problem, which takes time, it won't do you any good to change your password until those sites are running the updated version of OpenSSL, with the new security in place, according to Wired. So the onus is on the Internet services affected by Heartbleed to alert their users to the problem, and let them know when it's been fixed.

Tumblr, which is owned by Yahoo, said it has already put the fix in place for OpenSSL on its service. Tumblr said it has no evidence it was hacked due to the Heartbleed bug.

The bug was discovered by Neel Mehta of Google’s security team as well as a team of security engineers at Codenomicon, a security company based in Finland. It has created a website with information about Heartbleed.

Here's a list of online resources with more information about Heartbleed. Some are more technical than others.

The Wire -- The basics of Heartbleed. What it is, and what you should do about it as a consumer.

Lifehacker -- Another plain language explainer.

Gizmo -- The "secret handshake" metaphor for Internet security. -- The site set up by Codenomicon. It's geared toward a more technical audience.

Homeland Security/CERT -- Disclosure of the bug to the federal government's cybersecurity teams.

Github -- A (very) long list of web servers that have been tested, identifying which ones are vulnerable to Heartbleed.

Next Up

Brandon Richart, missing person

Search underway for missing man in Anoka area

Brandon Richart was last seen Nov. 17.

U.S. Bank Stadium

5 teams win first state championships at Prep Bowl

A pair of records fell as the Prep Bowl lived up to the hype.

ashley Carlson

Remains of missing WI mom found in Pine County, MN

Ashley Miller-Carlson was 33 years old.

D'Angelo Russell

D'Lo's late takeover helps Timberwolves win double-OT thriller

Russell caught fire to help the Timberwolves get back to .500.

Gopher Football

Gophers suffocate Badgers, reclaim Paul Bunyan's Axe

Minnesota picked up its first home win over the Badgers since 2003.

Meeker County Sheriff's Office

Boy, 6, run over after falling off trailer in Meeker Co. tree farm accident

He was airlifted to Hennepin County Medical Center with internal injuries.

Target store

Target unveils deals for 2-day 'Cyber Monday' event

The promotion kicks off Sunday, November 28.

Screen Shot 2021-11-27 at 9.59.30 AM

Edina police warn of recent burglary trend targeting garages and vehicles

The Edina Police Department is increasing patrols in affected neighborhoods in response to the trend.

Screen Shot 2021-11-27 at 9.03.06 AM

Charges: Man shot Uber Eats driver making a delivery in Cottage Grove

Otis Donnell Shipp was charged with second-degree attempted murder after turning himself in on Wednesday.

Screen Shot 2021-11-27 at 7.36.14 AM

Waterfront hotel in Duluth sustains damage in kitchen fire

Authorities estimate the damage at around $75,000.