Heartbleed Havoc: 10 Passwords You Need To Change Right Now
The Heartbleed Threat Demands User Attention
The serious Heartbleed bug that has plagued OpenSSL, the open-source encryption protocol, has system administrators scrambling to patch the back-end systems supporting many popular online services. Administrators also are revoking keys associated with the digital certificates that validate the authenticity of a website or service, according to Finnish security testing firm Codenomicon, which has set up a thorough website addressing the issue.
Users of online services need to take action as well, say security experts, as hundreds of thousands of servers, including those that support Google, Yahoo and Dropbox, may have been impacted. Many of those services are urging users to change their passwords. Here are 10 of those services.
Google Services, Gmail
Google issued a statement on its official Security Blog outlining its progress in patching the vulnerability. The firm has said it isn't requiring users to change their passwords, but it is gently prodding users to make a change as a matter of good practice.
Impacted services include Search, Gmail, YouTube, Wallet, Play, Apps and App Engine. Google Chrome and Chrome OS are not affected, the company said. Businesses that use the Google Search Appliance, Cloud SQL or the Google Compute Engine also are impacted and must update their back-end systems to the latest OpenSSL iteration.
Google said the latest Android hardware that supports Android version 4.4 KitKat is immune to the vulnerability. However, users of Android 4.1.1 Jellybean are impacted, Google said. The company has distributed patching instructions to Android partners, so users should keep an eye out for a firmware update from their carrier.
Tumblr content management system users were impacted by Heartbleed. Tumblr issued a warning to users, urging them to change their user account credentials. The company said users should change the password "everywhere" it is used, especially for "high-security services like email, file storage, and banking, which may have been compromised by this bug."
A Facebook spokesperson told ABC News that the company addressed the issue before The Open SSL Project publicly disclosed the flaw. The popular social network, which closely monitors its user accounts for anomalous activity that could signal a problem, said it hasn't detected any spikes in attacks or hijacked accounts. The firm is still advising users to use a unique password and follow good practices by updating to a new password.
Search engine giant Yahoo said it updated its services, which include Tumblr. Yahoo is not urging users to change their passwords, but security experts told CRN that a password change is necessary to greatly reduce the risk of an account hijacking. Yahoo Mail has had previous account security issues, being targeted in a coordinated attack campaign by cybercriminals who gained access to user names and passwords from a third-party database, the company said in January. It didn't acknowledge how many users were impacted.
Amazon Web Services
Amazon Web Services issued a services update indicating that Heartbleed affected all of its load-balancers and urged users to terminate their secure services and rotate their SSL certificates. Amazon EC2 users need to take action to patch the flaw themselves if they are using Linux images, the company said. EC2 users also need to rotate any secrets or keys. Amazon CloudFront content delivery service users also were impacted by the bug and should rotate their SSL certificates.
Intuit TurboTax Users
People who filed their taxes using the TurboTax preparation service are being urged by security experts to change their passwords. The company issued a press release indicating that it patched its back-end systems, which were affected by the Heartbleed bug. "Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. They can file their return today with confidence," said "Nat" Rajesh Natarajan, the company's chief technology officer and vice president of product development product management, in a statement.
Dropbox did not issue a statement, but told users through its Twitter account that it patched its user-facing services to repair the OpenSSL bug. A simple password change as a result of the affected service will bolster security and is a standard, good practice, say security experts.
The back-end servers supporting the LastPass password management service were impacted by the vulnerability, but the company said the encryption key that enables users to gain access to their password database is stored locally, meaning that the master password is not on its servers. Sensitive data is never transmitted over SSL unencrypted because it is already encrypted locally, the firm said.
"Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks)," the company said in an extensive blog post on the Heartbleed threat.
PayPal user accounts are safe and users do not need to take any action, according to the company. However, businesses, mainly online merchants that use its Payflow Gateway, need to upgrade their systems to address the vulnerability, PayPal said in a statement on its site.
"We have already been in touch with the merchants who could potentially be affected and are working with them to upgrade their integrations," the company said.