On April 7, the world awoke to troubling news: a major online security flaw, which allows knowledgeable hackers to extract legions of data from a host of popular services. Dubbed Heartbleed bug, this vulnerability impacted countless major companies and applications, including Gmail, Facebook and others which regularly transmit secure information. Unfortunately, many consumers remain vulnerable, because they haven’t taken some basic steps to protect themselves.
What is Heartbleed?
Heartbleed is a flaw in the open-source encryption standard (OpenSSL) that most websites use to securely transmit data. In simple terms, OpenSSL encrypts data to make it look like gibberish to prying eyes. While effective, this security measure relies on flawless programming to prevent vulnerabilities. Sadly, until recently, OpenSSL’s programming was anything but flawless, and numerous billion-dollar enterprises were inadvertently leaving passwords, credit card numbers and other personal information vulnerable.
How it Works
Although OpenSSL effectively protects data by encrypting it, hackers knew they could circumvent that encryption by exploiting a computer’s “heartbeat.” In the midst of a secure transmission, one computer often checks to see if the other is still connected by sending small packets of data – commonly referred to as a heartbeat – and waiting for a response.
Due to a coding error in OpenSSL, hackers could send false heartbeat messages that would prompt a server to relay data stored in its RAM; that could include emails, documents, credit card numbers, passwords, usernames, mothers’ maiden names and more.
Scarier still, hackers could do this without leaving a trace. What’s more, the Heartbleed bug was only recently discovered but had been exploitable for years, leaving many to wonder how much sensitive data has been tapped since OpenSSL became so widely adopted.
What You Should Do
Right now, about 60 percent of all websites use OpenSSL encryption, and most already have taken steps to update their systems to prevent future Heartbleed attacks. However, since data was at risk for so long, users remain vulnerable if they haven’t changed their passwords since these updates.
Because new viruses, bugs and security flaws tend to pop up from time to time, it’s important for consumers to avoid complacency by adhering to the following routine practices:
- Always use strong passwords
- Change passwords on a regular basis
- Do not use the same passwords for all sites
- Do not store passwords in a document labeled passwords
- Regularly check your credit report to ensure against identity theft
In response to Heartbleed, security experts are encouraging users to change their passwords on any website that might hold sensitive personal or business data. That said, this won’t do any good unless that site has effectively updated its OpenSSL. You can check to see if a website has performed these critical updates by using this resource. You can also check to see which sites were affected by Heartbleed by checking here.