Heartbleed: Which websites are now secure?

Companies are scrambling to fix the Heartbleed bug, which might have left supposedly secure information exposed for two years. What websites have patched the issue?

Kacper Pempel/FILE/REUTERS
File illustration picture of computer keyboard with letters stacked forming the word 'password' taken in Warsaw, December 12, 2013. Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software.

Despite its emotive title, Heartbleed, the Internet bug that has exposed supposedly secure data from more than two-thirds of the Internet’s servers over the past two years, is nothing to take lightly. Since news of the vulnerability broke on Monday night, companies have scrambled to get their security fixes up to date and assess the scale of damage, despite its potentially untraceable impact.

But when something this widespread hits the Internet, it is tough to know the best and safest course of action as a major Internet company as well as a consumer. If researchers release news about the bug too quickly, companies may be caught by surprise without a patch ready to fix the situation. If they move too slowly, hackers may find out about the bug and exploit it while they can. Consumers, on the other hand, are stuck in the awkward middle while this happens, not sure whether to change passwords, update security, or just stay off the Internet altogether.

Right now, companies and consumers are still in a limbo, but more has come to light in terms of the fallout from this bug. Here is a list of some major companies, the extent of their vulnerability, and what you should do to keep your data with them secure.

Amazon: The main commerce site is not affected, though if you use certain Amazon Web Services, you should likely change your password or take security precautions. In this statement, Amazon singled out services such as Elastic Load Balancing, Amazon CE2, and Amazon Cloud Front, as potentially being affected and laid out specific security precautions.

Facebook: The social network patched its security issues before Heartbleed went public, but you should still change your password, says the company. “We haven’t detected any signs of suspicious account activity, but we encourage people to ... set up a unique password,” Facebook reps say in a statement.

Microsoft Azure (cloud services): Microsoft says in a statement, “Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.” However, if you use Linux images on Azure, you may be vulnerable.

Google: Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine have been patched, and Google Chrome and Chrome OS are not affected by the bug, Google says in a statement. However, the company is still working to fix other Google services, as well as an update to Android 4.1.1. It may be in your best interest to change your passwords out of precaution.

Yahoo: “As soon as we became aware of the issue, we began working to fix it... and we are working to implement the fix across the rest of our sites right now,” the company says. The sites that were patched (meaning the sites where you should change your password ASAP) include: the Yahoo homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr.

Netflix: The video streaming site was not specific whether there was a patch or if customers were affected, but it did offer this statement: "Like many companies, we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact."

Twitter: The social media site says they did apply a patch, but they believe they were unaffected by the bug. “We are continuing to monitor the situation,” it says in a statement.

Pinterest: The website did apply a patch though they say they didn’t see any “evidence of mischief.” Pinners are encouraged to change their passwords. Here is the website’s statement: "We fixed the issue on Pinterest.com, and didn’t find any evidence of mischief. To be extra careful, we e-mailed Pinners who may have been impacted, and encouraged them to change their passwords."

Soundcloud: The music-sharing site is signing all users out of their accounts and applied a patch in the meantime as a precautionary measure. Though there wasn’t any indication of an issue, the site encouraged users to change their passwords.

A more extensive list is maintained and updated at Mashable, and you can check if a website is secure through this web tool. Still not sure what to do? Check out our guide on how to stay secure while companies sort this mess out.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.