Web users advised to change all their passwords due to 'Heartbleed' bug

Publish date:

Internet security teams have discovered a major bug that has exposed millions of passwords, credit card numbers and other sensitive information to computer hackers, and the bug has gone undetected for more than two years, the Associated Press reports.

The "Heartbleed" bug makes it possible for hackers to retrieve code from websites and other online services that would give them access to that information. The bug affects services that use the widely popular OpenSSL security library, according to the Los Angeles Times.

SSL/TLS is an encryption technology which is indicated by a small, closed padlock and "https:" on Web browsers that signal a secure connection. The Heartbleed bug affects only one version of OpenSSL, which is an open-source version of that technology. But that version is used by roughly two-thirds of all web servers, according to the Associated Press.

Heartbleed makes it possible for hackers to snoop on Internet traffic even if the padlock is closed. They could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.

Following the discovery of Heartbleed, Tumblr posted a message to all its users encouraging them to change the passwords for all of their online accounts.

"The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said.

A fix for the bug has been issued, but because the affected version of OpenSSL has been around for two years, it's impossible to know whether hackers have been taking advantage of the weakness all this time, said the Times.

"This might be a good day to call in sick and take some time to change your passwords everywhere -- especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," Tumblr said.

But there's another problem with the timing. Because each web service will have to manually fix the problem, which takes time, it won't do you any good to change your password until those sites are running the updated version of OpenSSL, with the new security in place, according to Wired. So the onus is on the Internet services affected by Heartbleed to alert their users to the problem, and let them know when it's been fixed.

Tumblr, which is owned by Yahoo, said it has already put the fix in place for OpenSSL on its service. Tumblr said it has no evidence it was hacked due to the Heartbleed bug.

The bug was discovered by Neel Mehta of Google’s security team as well as a team of security engineers at Codenomicon, a security company based in Finland. It has created a website with information about Heartbleed.

Here's a list of online resources with more information about Heartbleed. Some are more technical than others.

The Wire -- The basics of Heartbleed. What it is, and what you should do about it as a consumer.

Lifehacker -- Another plain language explainer.

Gizmo -- The "secret handshake" metaphor for Internet security.

Heartbleed.com -- The site set up by Codenomicon. It's geared toward a more technical audience.

Homeland Security/CERT -- Disclosure of the bug to the federal government's cybersecurity teams.

Github -- A (very) long list of web servers that have been tested, identifying which ones are vulnerable to Heartbleed.

Next Up