Heartbleed Bug: Here's What It Is and Whether You Might Be Affected [Video]
**Updated to reflect that "TurboTax is not affected by 'Heartbleed.'"
Heartbleed. The new scourge of the Internet. A vulnerability that affects around two-thirds of the world's servers, Heartbleed has many experts stating it could be the worst bug ever discovered. Here's what it is and whether you might be affected.
Heartbleed is simple: it is a vulnerability in an Internet encryption service known as OpenSSL.
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," Codenomicon, the Finnish-based security firm that discovered Heartbleed, wrote on Heartbleed.com.
Without getting too technical, Heartbleed allows a hacker to gain access to usernames, passwords, and other sensitive personal information. In fact, Codenomicon tested out the vulnerability from an attacker's viewpoint and had this to say:
"We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
Bear in mind Heartbleed was only discovered Monday. It is still unclear how much damage has been wrought as a result of Heartbleed, and most experts are now erring on the side of caution -- it could be bad, real bad. The only real action an Internet user can take is to change passwords, and even then, it might be too late. Heartbleed went undetected for over two years, although many agree that most hackers probably didn't know about it until this week.
Most major web sites and services have already implemented a fix for Heartbleed, but for those still wondering, here's a rundown of major web players that have suggested changing passwords to be on the safe side.
Social media sites Facebook, Instagram, Pinterest, and Tumblr have all confirmed that they were open to Heartbleed, but have since patched up the hole. Still, they all suggest users change their passwords, especially if it's the same password used across other sites. Twitter and LinkedIn junkies can rest easy as both companies have confirmed Heartbleed did not affect them.
Google and Yahoo services, including Gmail, YouTube, Google Wallet, Google Play, Yahoo Mail, Yahoo Sports, and Yahoo Finance were all revealed to be open to Heartbleed. Both companies have rectified their susceptibility to Heartbleed, and both suggest changing passwords. Microsoft services, including Hotmail and Outlook, and Apple services were found to be Heartbleed-safe.
Other Heartbleed-sensitive web services include Amazon's tools for website operators, GoDaddy, Etsy, Dropbox, GitHub, OKCupid, IFTTT, and Minecraft. All have patched up the Heartbleed exploit and all state users of their services should change passwords.
No major banks were found to be at the mercy of Heartbleed, and rest easy tax payers, the IRS has come out saying all of your information is safe.
Remember, when changing passwords, it's best to stay away from using the same one on multiple sites.
For a comprehensive and updated list of Heartbleed-vulnerable sites, you can visit Mashable, and for a detailed security analysis on what you can do, visit KrebsOnSecurity.
Subscribe to Latin Post!
Sign up for our free newsletter for the Latest coverage!