Heartbleed: Which websites are now secure?

Companies are scrambling to fix the Heartbleed bug, which might have left supposedly secure information exposed for two years. What websites have patched the issue?

Kacper Pempel/FILE/REUTERS
File illustration picture of computer keyboard with letters stacked forming the word 'password' taken in Warsaw, December 12, 2013. Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software.

Despite its emotive title, Heartbleed, the Internet bug that has exposed supposedly secure data from more than two-thirds of the Internet’s servers over the past two years, is nothing to take lightly. Since news of the vulnerability broke on Monday night, companies have scrambled to get their security fixes up to date and assess the scale of damage, despite its potentially untraceable impact.

But when something this widespread hits the Internet, it is tough to know the best and safest course of action as a major Internet company as well as a consumer. If researchers release news about the bug too quickly, companies may be caught by surprise without a patch ready to fix the situation. If they move too slowly, hackers may find out about the bug and exploit it while they can. Consumers, on the other hand, are stuck in the awkward middle while this happens, not sure whether to change passwords, update security, or just stay off the Internet altogether.

Right now, companies and consumers are still in a limbo, but more has come to light in terms of the fallout from this bug. Here is a list of some major companies, the extent of their vulnerability, and what you should do to keep your data with them secure.

Amazon: The main commerce site is not affected, though if you use certain Amazon Web Services, you should likely change your password or take security precautions. In this statement, Amazon singled out services such as Elastic Load Balancing, Amazon CE2, and Amazon Cloud Front, as potentially being affected and laid out specific security precautions.

Facebook: The social network patched its security issues before Heartbleed went public, but you should still change your password, says the company. “We haven’t detected any signs of suspicious account activity, but we encourage people to ... set up a unique password,” Facebook reps say in a statement.

Microsoft Azure (cloud services): Microsoft says in a statement, “Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.” However, if you use Linux images on Azure, you may be vulnerable.

Google: Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine have been patched, and Google Chrome and Chrome OS are not affected by the bug, Google says in a statement. However, the company is still working to fix other Google services, as well as an update to Android 4.1.1. It may be in your best interest to change your passwords out of precaution.

Yahoo: “As soon as we became aware of the issue, we began working to fix it... and we are working to implement the fix across the rest of our sites right now,” the company says. The sites that were patched (meaning the sites where you should change your password ASAP) include: the Yahoo homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr.

Netflix: The video streaming site was not specific whether there was a patch or if customers were affected, but it did offer this statement: "Like many companies, we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact."

Twitter: The social media site says they did apply a patch, but they believe they were unaffected by the bug. “We are continuing to monitor the situation,” it says in a statement.

Pinterest: The website did apply a patch though they say they didn’t see any “evidence of mischief.” Pinners are encouraged to change their passwords. Here is the website’s statement: "We fixed the issue on Pinterest.com, and didn’t find any evidence of mischief. To be extra careful, we e-mailed Pinners who may have been impacted, and encouraged them to change their passwords."

Soundcloud: The music-sharing site is signing all users out of their accounts and applied a patch in the meantime as a precautionary measure. Though there wasn’t any indication of an issue, the site encouraged users to change their passwords.

A more extensive list is maintained and updated at Mashable, and you can check if a website is secure through this web tool. Still not sure what to do? Check out our guide on how to stay secure while companies sort this mess out.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.