In April, researchers discovered a 2 year-old problem that has made Internet users particularly vulnerable to password and identity theft. This vulnerability, nicknamed “Heartbleed”was quickly addressed by many (but not all) of the companies that were affected, but if you haven’t taken steps to address it on your own accounts connected to the affected services, you may still be susceptible.
What is Heartbleed; and Why Should I Still Worry?
If you’ve already addressed your own passwords since May, you shouldn’t worry —but here’s the thing about Heartbleed that’s a bit different from most previous threats.
- The Heartbleed vulnerability has been around for 2 years undiscovered, which means the bad guys have had plenty of time to take advantage of it without us knowing —by stealing your credential (username & password) from affected websites and services. Just because they haven’t taken advantage of your credentials or identity yet, doesn’t mean they won’t use the data later that they stole previously. So you could still be vulnerable.
- Heartbleed was perhaps the most-widely spread vulnerability ever because so many web-based services used the software that was affected. Pinterest, Instagram, Dropbox, Box, Wikipedia, WordPress, YouTube, Yahoo, Gmail, and Netflix had all used the problem software at some point; and that means that somebody could have stolen your credentials that you used for those websites or services.
- Even though services such as AOL, Hotmail/outlook.com, and LinkedIn did not use the software that caused the problem, if you use the same username and password on these websites as you have used on one of the affected websites, your accounts on these services can be compromised using data stolen from the affected websites.
Taken together, these factors mean you’re not yet out of the woods if you haven’t taken the proper personal actions.
What Should I Do To Protect Myself?
If you haven’t already done it since mid-May when the vulnerability was publicly announced, change your passwords —especially on the affected websites. Since the bad guys had a two year head start on stealing your credentials from affected websites, they might already have it, and can log into any website on which you used that username and password combination. If you used that combination on your email account, the bad guys can even reset your other passwords and retrieve the new passwords by logging into your email address with the username and password they do know.
So here’s what you need to do now:
- Change your password on all accounts that are on the list of affected websites above or who have notified you that you should change your password.
- Change your password on all your email accounts—to ensure that if they stole your email credentials that they can’t reset your other passwords. If you use email software to access email (such as Microsoft Outlook or Apple Mail), you’ll also need to adjust your software to login with your new password.
- Change your password on every account that uses the same password as the one on that you have used at any time on the affected websites.
- Stop using the same username/password combination on your accounts.
The first three actions are easy; but many people have difficulty doing the fourth. If you have trouble remembering different passwords for your various accounts, consider using a password keeper on your system. Three of the most popular are 1Password, Dashlane and LastPass. These programs sit on your own computer, tablet and/or smart phone and log into your accounts for you —so they can remember the passwords instead of you.
And NEVER use “password”as your password. That’s just asking for trouble.