Hide Yo Wife, Hide Yo Kids...Change Your Passwords?

[Pete]

Probably a good idea.

 

An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services ? ones you might use every day, like Gmail and Facebook ? and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.

 

But it hasn't always been clear which sites have been affected. Mashable reached out to various companies included on a long list of websites that could potentially have the flaw. Below, we've rounded up the responses from some of the most popular social, email, banking and commerce sites on the web.

 

Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you'll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn't already compromised, but there's no indication that hackers knew about the exploit before this week.

 

Although changing your password regularly is always good practice, if a site or service hasn't yet patched the problem, your information will still be vulnerable.

 

We'll keep updating the list as new information comes in.

 

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoiZiIsImkiOiJfZnd6cW9tMmEzMHM4bWluMWxxMnBpOGowZ3JfIn0

 

---

 

List of compromised sites in the link. But it's a lot.

[Phil]

I just updated the list, and it was easy as pie, because I use LastPass.

 

Now, before anyone says "dude, LastPass was hacked too!", read this:

 

http://download.cnet.com/8301-2007_4-20060191-12.html

 

And this:

 

http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

 

So yes, technically you are right, but as the first article, and the LP update itself both note, data breaches are going to happen to everyone no matter what at some point, so I'll stick with a company like this that goes to great lengths to encrypting every bit of data being processed through it's sites.

 

"Another reason that LastPass might be requiring all users to reset their passwords is that the company doesn't have access to the salt hashes on its own servers. They couldn't see your passwords if they wanted to.

 

It's this kind of straightforward frankness about data breaches that other companies would do well to learn from."

[Morphinity 2.0]

Just wait a little bit before changing your passwords as some sites might not have updated their OpenSSL version to patch the vulnerability and some sites need to update their certificates. Basically, if you change the password and the website still has the vulnerability, then you're not helping your case.

[LindG1000]

Is this the shittiest bug ever that the creators didn't go after banks, or are banks liars?

[Pete]

Why go to banks when you can get credit card numbers elesewhere?

[Pete]

Just wait a little bit before changing your passwords as some sites might not have updated their OpenSSL version to patch the vulnerability and some sites need to update their certificates. Basically, if you change the password and the website still has the vulnerability, then you're not helping your case.

 

I changed the one that said Yes in the Change Password column.

[Dave]

Is this the shittiest bug ever that the creators didn't go after banks, or are banks liars?

 

From my understanding, this wasn't a bug that someone created. This was a bug that was not caught in the widely used OpenSSL library. The bug was only in certain versions, so only web sites/services that use the specific OpenSSL libraries were effected. The banks didn't, that's why they weren't effected.

 

Here's an example using this site. This site uses Vbulletin version 4. If Vbulletin version 4 (and no other version) was coded in a way that someone could exploit a poorly coded portion of the forum software to grab all the exchanges between the forum and the users, it would be similar to what's going on with Heartbleed. To get your password, someone would have to be exploiting the bug at the time you typed in your username and password and submitted it to login.

 

If another forum site wasn't using Vbulletin or was using Vbulletin version 5, the exploit wouldn't be available and nothing would need to be done about it.

[LindG1000]

From my understanding, this wasn't a bug that someone created. This was a bug that was not caught in the widely used OpenSSL library. The bug was only in certain versions, so only web sites/services that use the specific OpenSSL libraries were effected. The banks didn't, that's why they weren't effected.

 

Here's an example using this site. This site uses Vbulletin version 4. If Vbulletin version 4 (and no other version) was coded in a way that someone could exploit a poorly coded portion of the forum software to grab all the exchanges between the forum and the users, it would be similar to what's going on with Heartbleed. To get your password, someone would have to be exploiting the bug at the time you typed in your username and password and submitted it to login.

 

If another forum site wasn't using Vbulletin or was using Vbulletin version 5, the exploit wouldn't be available and nothing would need to be done about it.

 

Ahh, I see.

 

I always assume that creators of malicious content or exploiters of loopholes will almost always attempt to attack the best source of information or the best source of profit.