This past Monday, April 7th, 2014, a serious flaw was found in OpenSSL, a software program vital to the security of many websites, including Should I Change My Password. This flaw has become known as the Heartbleed Bug.
In this article, we will let you know how this affects your Should I Change My Password account and your access to other websites, and how we’re helping.
How Heartbleed Affects Your SICMyP Account
In the hours after the Heartbleed bug became known, we updated Should I Change My Password’s server infrastructure to eliminate the vulnerability. In technical terms, we have installed a fixed version of OpenSSL on all of our servers. We have replaced our SSL certificate with one based on new keys, and revoked our old certificate. We also logged out all users from the website.
We have no indication of suspicious activity on Should I Change My Password that would suggest we suffered any kind of compromise due to the Heartbleed Bug; unfortunately, the nature of the bug means that an attack would have been difficult to detect. As a precaution, therefore, we recommend that you change the password on your Should I Change My Password account if you have logged into the site at any time in the past five days. You can do this using the Account Settings page on the site. We’re sorry for this trouble.
If you wish to be extra cautious, you should change your password even if you haven’t logged into Should I Change My Password recently.
If you used the password for your Should I Change My Password account on any other website, you should change it there too. As always, Should I Change My Password recommends you do not reuse passwords across websites.
How Heartbleed Affects Your Other Accounts
As of Monday, it is estimated that 17% of the world’s secure websites, or roughly half a million sites, were vulnerable due to the Heartbleed Bug. This includes extremely popular sites such as Yahoo Mail, the most popular web email service in the world. If you haven’t already begun to hear from other websites that were affected by Heartbleed, you should expect to soon.
Given the extremely serious and widespread nature of this issue, we encourage you to check with any other website to which you routinely send sensitive data (even if that’s just your login details). You can use a free online tool to test if a website remains vulnerable, but if the site was vulnerable and is now fixed, you have no way of knowing unless it tells you. Particularly for very sensitive services like online banking, it’s worth asking the question if you haven’t heard from them already.
Importantly, if you detect that a site that you use is still vulnerable to Heartbleed, do not change your password until that site has confirmed that the issue has been fixed. If you do, you risk giving an attacker your new password too.
Unlike so many of the vulnerabilities we identify here at Should I Change My Password, sites have not been affected by the Heartbleed Bug due to negligence or incompetence. Nevertheless, we believe it is fair to judge the sites and services you use for how they respond to it.
If you’d like a deeper understanding of the Heartbleed bug and how it works, here are a couple of good articles online:
- Imagine no SSL encryption, it’s scary if you try (1Password)
- Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style (Ars Technica)
How We’re Helping
Should I Change My Password’s Email Watchdog was built to protect you following events exactly like this one.
Within hours of Heartbleed going public on Monday, security researchers had written proof-of-concept tools to exploit the vulnerability. These tools have now been distributed widely online, and there is no doubt that they are now in the hands of malicious groups that are using them to extract sensitive data from high-profile websites.
In the weeks and months ahead, we expect to see a large volume of this data leaked online. Because attacks based on Heartbleed are so difficult to detect, we expect the sites these data leak from to be completely unaware of the breach in most cases.
As an Email Watchdog subscriber, you will be notified the moment we spot any of your tracked email addresses or domain names in one of these breaches. If your Email Watchdog subscription doesn’t already cover all the email addresses you and your family uses online, now is a perfect time to upgrade.
Best wishes,
Kevin Yank
Chief Technology Officer, Should I Change My Password