Heartbleed: What you should do (and not do) to protect your data

Don’t change your password (except for in certain instances). Don’t update security (unless it is the pre-approved software fix). Maybe just stay off the Internet for a few days (seriously). With Heartbleed, the security flaw that could affect two-thirds of all websites, all bets are off.

Robert Galbraith/Reuters/File
The Yahoo logo is at the company's headquarters in Sunnyvale, California. Yahoo is one of the major companies that has been deemed vulnerable in the massive Heartbleed attack.

It’s likely you have seen the open-source encryption code OpenSSL without realizing what it does. The software encrypts information on websites, such as passwords. Two-thirds of websites are estimated to use the code.

However, cybersecurity researchers now know that the system was flawed. The issue may have gone undetected for more than two years, allowing hackers to run a program, nicknamed Heartbleed, that revealed encryption keys and browser history, offering easy access to passwords and private communication in an undetectable way. After the story broke Monday night, researchers have been scrambling to find a solution that has affected websites as large as Yahoo.

When cybersecurity breaches break, the usual protocol is to change your password and update security software as soon as possible. However, Heartbleed is a bit different. Since the hack is untraceable, it may be impossible to know if your data has been breached. If a website you use hasn’t updated its security to fix the problem yet, hackers could grab your password as you change it (without you realizing). Though a new version of OpenSSL that patches the bug has been released, not all websites have updated their systems.

Here’s how to keep your information safe online while the Heartbleed situation gets under control.

Check if the websites you use are vulnerable

The scope of the problem isn’t yet confirmed, so before entering any sensitive information into a website, double check to be sure it is safe. Use this Web page to check if a website is vulnerable, and if it is, wait until the site has confirmed it has updated its security before you input any sensitive information.

Early monitoring of the situation found that websites such as Yahoo, OkCupid, and Eventbrite were vulnerable, though some have begun making the necessary security fixes. Here is an updating list of websites and whether they are affected. Even if a website is in the clear, use caution while inputting information in the next few days.

Don’t rush to change your passwords (but if you really want to, change the important passwords first)

“Security experts suggest waiting for confirmation of a fix, because further activity on a vulnerable site could exacerbate the problem,” CNET found.

Once you have confirmed that a website has updated its security, change passwords on bank accounts and e-mail, even if it has an extra authentication step.

However, if it isn’t a must-use website, it wouldn’t hurt to stay away from the site for a few days until the fallout becomes clearer, just in case a hacker is still tracing password changes. Tor, the browser that maintains anonymity for users, suggested those who are very concerned about privacy may just want to stay offline for the next few days (its clients, relays, and hidden services were affected by the bug).

Monitor bank accounts and keep an eye out for any unusual activity

As hackers could have gained access to saved credit card information, in addition to passwords and private information, it may be a safe bet to keep an eye on bank accounts. Even if your bank isn’t a vulnerable site, Heartbleed may have latched onto cookies which can reveal your history (and therefore provided a potential window into secure information) if you visit any vulnerable website. Aside from major websites, such as Yahoo, which are certainly working to make a fix, don’t be afraid to reach out to smaller businesses that may have your sensitive information online as well to ensure they are working toward a solution.

If any unusual activity occurs, contact your bank.

Stay tuned

As the breach was just revealed on Monday night, there is no doubt that most companies’ tech teams are working around the clock to update the code as well as attempt to figure out whether user data was compromised. However, there is still a lot yet to be revealed about the bug. Keep up to date to find out whether your data has been compromised.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.