Web users advised to change all their passwords due to 'Heartbleed' bug


Internet security teams have discovered a major bug that has exposed millions of passwords, credit card numbers and other sensitive information to computer hackers, and the bug has gone undetected for more than two years, the Associated Press reports.

The "Heartbleed" bug makes it possible for hackers to retrieve code from websites and other online services that would give them access to that information. The bug affects services that use the widely popular OpenSSL security library, according to the Los Angeles Times.

SSL/TLS is an encryption technology which is indicated by a small, closed padlock and "https:" on Web browsers that signal a secure connection. The Heartbleed bug affects only one version of OpenSSL, which is an open-source version of that technology. But that version is used by roughly two-thirds of all web servers, according to the Associated Press.

Heartbleed makes it possible for hackers to snoop on Internet traffic even if the padlock is closed. They could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.

Following the discovery of Heartbleed, Tumblr posted a message to all its users encouraging them to change the passwords for all of their online accounts.

"The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said.

A fix for the bug has been issued, but because the affected version of OpenSSL has been around for two years, it's impossible to know whether hackers have been taking advantage of the weakness all this time, said the Times.

"This might be a good day to call in sick and take some time to change your passwords everywhere -- especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," Tumblr said.

But there's another problem with the timing. Because each web service will have to manually fix the problem, which takes time, it won't do you any good to change your password until those sites are running the updated version of OpenSSL, with the new security in place, according to Wired. So the onus is on the Internet services affected by Heartbleed to alert their users to the problem, and let them know when it's been fixed.

Tumblr, which is owned by Yahoo, said it has already put the fix in place for OpenSSL on its service. Tumblr said it has no evidence it was hacked due to the Heartbleed bug.

The bug was discovered by Neel Mehta of Google’s security team as well as a team of security engineers at Codenomicon, a security company based in Finland. It has created a website with information about Heartbleed.

Here's a list of online resources with more information about Heartbleed. Some are more technical than others.

The Wire -- The basics of Heartbleed. What it is, and what you should do about it as a consumer.

Lifehacker -- Another plain language explainer.

Gizmo -- The "secret handshake" metaphor for Internet security.

Heartbleed.com -- The site set up by Codenomicon. It's geared toward a more technical audience.

Homeland Security/CERT -- Disclosure of the bug to the federal government's cybersecurity teams.

Github -- A (very) long list of web servers that have been tested, identifying which ones are vulnerable to Heartbleed.

Next Up

Screen Shot 2021-03-02 at 1.40.17 PM

Two gas trucks collide in Stearns County, neither explodes

The unlikely collision happened Monday afternoon.

unnamed (1)

MSP Airport expecting spring break to be busiest period since pandemic began

Passenger numbers will still be about a third lower than a year ago, though.

Target store

After bumper earnings, Target will accelerate new store openings

The retailer has revealed its plans for the next few years, which includes an investment in Minneapolis.

starbucks wayzata

100% plant-based restaurant coming to Wayzata this spring

The restaurant has plans to add additional locations in Minnesota this summer and franchise nationwide.

Patric Richardson

'Laundry Evangelist' from St. Paul gets his own Discovery+ show

Patric Richardson has built a career around the appreciation and care of clothing.

All Energy Solar Residential Installation

End 'renting' from your utility company and go solar

A solar installation is one of the few home improvements that actually pays for itself.

State Capitol.

Minnesota Republicans looking to make PPP loans exempt from state taxes

Congress made PPP loans exempt from federal taxes late last year.

kate knuth

Former DFL state Rep. Knuth announces run for Minneapolis mayor

She is among those challenging Mayor Frey in November.

Screen Shot 2021-03-02 at 10.27.17 AM

Fox Sports North adds Gigi Marvin to Wild broadcast team

Marvin is three-time Olympic medal winner and former Warroad prep hockey star.

police lights

Wisconsin father suspected of killing his 6-week-old son

The father was arrested Monday in connection to the infant's Feb. 19 death.