Remember that little padlock icon on your browser (next to the URL) when you log on to your online banking, Yahoo email, or online shopping sites? Without going into the technical details, that symbol simply means that you are on a secure connection with the website you are communicating to. So any information (such as your login details, credit card numbers, bank accounts) is encrypted (or scrambled) so that no peeping Tom can get a hold of your sensitive details.
The bad news is, there appears to be a bug/issue that has been around for 2 years that allows hackers to take advantage of that issue to grab your sensitive information (despite the fact that it’s meant to be secured)! Another bad news is that this may affect the websites that you access in a daily basis!
Major websites such as Yahoo, Flickr, and JB Hi-Fi were also vulnerable (according to The Age and scans done by musalbas at GitHub). Some sites like Twitter and eBay do not seem to be affected (unless if they were, before the scan was done by musalbas).
You can check whether a particular website is affected or not by going to Heartbleed test page and enter the domain name of your favorite site. Not every server or website was affected though, as it depends on the OpenSSL module version running on the server. Even if they were affected, they may have been fixed by now. However, that doesn’t mean that no hacker has grabbed your details within the past 2 years before the fix was implemented.
Do not login to Yahoo! The OpenSSL bug #heartbleed allows extraction of usernames and plain passwords! pic.twitter.com/OuF3FM10GP
— Mark Loman ?? (@markloman) April 8, 2014
So what do you need to do now? If you are unsure, change your passwords. However, wait until the affected sites fix the issue first before you change them. Visit a site to find out if there is any news regarding this, like what LastPass and Ars Technica did:
I’m not sure whether the big banks are affected – hope we have official news from them soon (UPDATE: At least ANZ and NAB have confirmed on Twitter that they aren’t affected). Mashable has also published a list of affected sites, but in short, at least change your passwords for:
- Google Services (which will cover Gmail, Google Drive, etc)
This, is a major security issue and should be taken seriously!
UPDATE: Even if you have turned on 2-factor authentication (i.e you have to use password + a code sent to your phone via SMS to login), you still HAVE TO change your password because it was also vulnerable to attack due to this issue.