On Monday, security researchers at Codenomicon and Google discovered a flaw in the encryption technology meant to protect your passwords, online files and valuable online information. They’re calling the bug “Heartbleed.”
What is it?
The bug leaves a server’s memory vulnerable to attack, compromising OpenSSL software — the technology behind that little padlock next to the web address of any site that requires a log-in.
If your information has been compromised, there’s no way of knowing.
“We have tested some of our own services from attacker’s perspective,” Codenomicon wrote on heartbleed.com — a site meant to address questions about the bug. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
What action is being taken?
The flaw prompted the Department of Homeland Security to advise businesses to check whether they’re using a vulnerable version of Open SSL. A fix has been released for any site that has been affected.
What should you do?
Tumblr warned users Tuesday to reset their passwords, but don’t be too quick to change every online account’s log-in. At the moment, waiting might be the best option for protecting yourself.
According to CNET, “security experts suggest waiting for confirmation of a fix because further activity on a vulnerable site could exacerbate the problem.”
In the meantime, keep an eye on your financial statements and online information. You can check whether a site is vulnerable here.