In case you’ve been living under a digital rock for the past few weeks, or you just want a nice update on what’s going on in the internet world, meet Heartbleed: cyber-security’s latest affliction.
Heartbleed, in a nutshell, is an internet security bug within the OpenSSL security software that left people’s private information – things like passwords, credit card info, and even Social Security numbers – vulnerable to exploitation on millions of websites that rely on SSL security to encrypt sensitive data. Now that may sound like really bad news – and it definitely is in principle. However, it’s not quite as bad as it seems.
Despite Heartbleed’s terrifying capability, the potentially-catastrophic backdoor to your cyber-info was created unintentionally, and thus without malicious purpose. Indeed, the lines of code containing the bug were added by a volunteer programmer, and Heartbleed was created completely by accident. For this reason, the Heartbleed bug went more than two years without being detected; nobody seems to have known of its existence prior to its public disclosure by OpenSSL on April 7th. Appropriately, this release was accompanied by a secure patched version of the software for sites to implement. The extended unawareness is particularly impressive, given the fact that OpenSSL is used daily by tens of millions of users across hundreds of millions of websites and online accounts. Even though this bug was included by accident, it seems cyber-criminals were not aware of the bug. Apart from a few small last-ditch, post-disclosure incidents which only affected a few hundred people, Heartbleed doesn’t appear to have been exploited effectively.
So what should you do, if anything? Well, just because most sites are secured now and experts don’t believe anyone has your sensitive information lying around, doesn’t mean anyone can actually prove it. You likely have already been prompted by some of the websites you frequent to update your password(s). We recommend to continue doing just that on any sites that contain sensitive info you wouldn’t want falling into the wrong hands. Change your passwords to something new, and something secure. This means using at least one uppercase letter, number and special character. Changing passwords regularly (annually) is a great security practice anyway, but most people fail or refuse to do so. Well, now you can thank Heartbleed for forcing you to change that terrible decade-old password, that also happens to be your favorite pet’s name.