0

The Heartbleed Hit List: The Passwords You Need to Change Right Now

Heartbleed-Refresh

 

An encryp­tion flaw called the Heart­bleed bug is already being called one of the biggest secu­rity threats the Inter­net has ever seen. The bug has affected many pop­u­lar web­sites and ser­vices — ones you might use every day, like Gmail and Face­book — and could have qui­etly exposed your sen­si­tive account infor­ma­tion (such as pass­words and credit card num­bers) over the past two years.

But it hasn’t always been clear which sites have been affected. Mash­able reached out to var­i­ous com­pa­nies included on a long list of web­sites that could poten­tially have the flaw. Below, we’ve rounded up the responses from some of the most pop­u­lar social, email, bank­ing and com­merce sites on the web.

 

Some Inter­net com­pa­nies that were vul­ner­a­ble to the bug have already updated their servers with a secu­rity patch to fix the issue. This means you’ll need to go in and change your pass­words imme­di­ately for these sites. Even that is no guar­an­tee that your infor­ma­tion wasn’t already com­pro­mised, but there’s no indi­ca­tion that hack­ers knew about the exploit before this week.

Although chang­ing your pass­word reg­u­larly is always good prac­tice, if a site or ser­vice hasn’t yet patched the prob­lem, your infor­ma­tion will still be vulnerable.

We’ll keep updat­ing the list as new infor­ma­tion comes in.

Social Net­works

Was it affected? Is there a patch? Do you need to change your password? What did they say?
Face­book Unclear Yes YesYes “We added pro­tec­tions for Facebook’s imple­men­ta­tion of OpenSSL before this issue was pub­licly dis­closed. We haven’t detected any signs of sus­pi­cious account activ­ity, but we encour­age peo­ple to … set up a unique password.”
LinkedIn No No No “We didn’t use the offend­ing imple­men­ta­tion of OpenSSL in www.linkedin.com or www.slideshare.net. As a result, Heart­Bleed does not present a risk to these web properties.”
Tum­blr Yes Yes YesYes “We have no evi­dence of any breach and, like most net­works, our team took imme­di­ate action to fix the issue.”
Twit­ter Unclear Unclear Unclear Twit­ter wrote that OpenSSL “is widely used across the inter­net and at Twit­ter. We were able to deter­mine that [our] servers were not affected by this vul­ner­a­bil­ity. We are con­tin­u­ing to mon­i­tor the situation.”

Twit­ter has not yet responded toMash­able’s request for comment.

Other Com­pa­nies

Was it affected? Is there a patch? Do you need to change your password? What did they say?
Apple Unclear Unclear Unclear Apple has not yet responded to a request for comment.
Ama­zon No No No “Amazon.com is not affected.”
Google Yes Yes YesYes* “We have assessed the SSL vul­ner­a­bil­ity and applied patches to key Google ser­vices.” Search, Gmail, YouTube, Wal­let, Play, Apps and App Engine were affected; Google Chrome and Chrome OS were not.

*Google saidusers do not need to change their pass­words, but because of the pre­vi­ous vul­ner­a­bil­ity, bet­ter safe than sorry.

Microsoft No No No Microsoft ser­vices were not run­ning OpenSSL, accord­ing to LastPass.
Yahoo Yes Yes YesYes “As soon as we became aware of the issue, we began work­ing to fix it… and we are work­ing to imple­ment the fix across the rest of our sites right now.” Yahoo Home­page, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tum­blr were patched. More patches to come, Yahoo says.

Email

Was it affected? Is there a patch? Do you need to change your password? What did they say?
AOL No No No AOL toldMash­able it was not run­ning the vul­ner­a­ble ver­sion of the software.
Gmail Yes Yes YesYes* “We have assessed the SSL vul­ner­a­bil­ity and applied patches to key Google services.”

*Googlesaid users do not need to change their pass­words, but because of the pre­vi­ous vul­ner­a­bil­ity, bet­ter safe than sorry.

Hot­mail / Outlook No No No Microsoft ser­vices were not run­ning OpenSSL, accord­ing to LastPass.
Yahoo Mail Yes Yes YesYes “As soon as we became aware of the issue, we began work­ing to fix it… and we are work­ing to imple­ment the fix across the rest of our sites right now.”

Stores and Commerce

Was it affected? Is there a patch? Do you need to change your password? What did they say?
Ama­zon No No No “Amazon.com is not affected.”
Ama­zon Web Ser­vices(for web­site operators) Yes Yes YesYes Most ser­vices were unaf­fected or Ama­zon was already able to apply mit­i­ga­tions (see advi­sory note here). Elas­tic Load Bal­anc­ing, Ama­zon EC2, Ama­zon Linux AMI, Red Hat Enter­prise Linux, Ubuntu, AWS OpsWorks, AWS Elas­tic Beanstalk and Ama­zon Cloud­Front were patched.
eBay Unclear Unclear Unclear “The vast major­ity of our ser­vices were not impacted and our users can con­tinue to shop securely on our marketplace.”
GoDaddy Yes Yes YesYes “We’ve been updat­ing GoDaddy ser­vices that use the affected OpenSSL ver­sion.” Full State­ment
Pay­Pal No No No “Your Pay­Pal account details were not exposed in the past and remain secure.” Full State­ment
Tar­get No No No “[We] launched a com­pre­hen­sive review of all exter­nal fac­ing aspects of Target.com… and do not cur­rently believe that any external-facing aspects of our sites are impacted by the OpenSSL vulnerability.”

Banks and Brokerages

Was it affected? Is there a patch? Do you need to change your password? What did they say?
Bank of America No No No “We’re cur­rently tak­ing pre­cau­tions and steps to pro­tect cus­tomer data from this threat and have no rea­son to believe any cus­tomer data has been com­pro­mised in the past.”
Chase No No No “These sites don’t use the encryp­tion soft­ware that is vul­ner­a­ble to the Heart­bleed bug.”
E*Trade No No No E*Trade is still investigating.
Fidelity No No No “We have mul­ti­ple lay­ers of secu­rity in place to pro­tect our cus­tomer sites and services.”
PNC No No No “We have tested our online and mobile bank­ing sys­tems and con­firmed that they are not vul­ner­a­ble to the Heart­bleed bug.”
Schwab No No No “Efforts to date have not detected this vul­ner­a­bil­ity on Schwab.com or any of our online channels.”
Scot­trade No No No “Scot­trade does not use the affected ver­sion of OpenSSL on any of our client-facing platforms.”
TD Amer­i­trade No No No TD Amer­i­trade “doesn’t use the ver­sions of openSSL that were vulnerable.”
TD Bank No No No “We’re cur­rently tak­ing pre­cau­tions and steps to pro­tect cus­tomer data from this threat and have no rea­son to believe any cus­tomer data has been com­pro­mised in the past.”
U.S. Bank No No No “We do not use OpenSSL for customer-facing, Inter­net bank­ing chan­nels, so U.S. Bank cus­tomer data is NOT at risk.”
Wells Fargo No No No No rea­son provided.

Gov­ern­ment and Taxes

Was it affected? Is there a patch? Do you need to change your password? What did they say?
1040.com No No No “We’re not vul­ner­a­ble to the Heart­bleed bug, as we do not use OpenSSL.”
FileY­our Taxes.com No No No “We con­tin­u­ously patch our servers to keep them updated. How­ever, the ver­sion we use was not affected by the issue, so no action was taken.”
H&R Block Unclear No Unclear “We are review­ing our sys­tems and cur­rently have found no risk to client data from this issue.”
Health­care .gov Unclear Unclear Unclear Healthcare.gov has not yet responded to a request for comment.
Intuit (Tur­b­o­Tax) Yes Yes YesYes Tur­b­o­tax “has exam­ined its sys­tems and has secured Tur­b­o­Tax to pro­tect against the “Heart­bleed” bug.” Full State­ment
IRS Unclear Unclear Unclear “The IRS con­tin­ues to accept tax returns as nor­mal … and sys­tems con­tinue oper­at­ing and are not affected by this bug. We are not aware of any secu­rity vul­ner­a­bil­i­ties related to this situation.”

Other

Was it affected? Is there a patch? Do you need to change your password? What did they say?
Drop­box Yes Yes YesYes On Twit­ter: “We’ve patched all of our user-facing ser­vices & will con­tinue to work to make sure your stuff is always safe.”
Ever­note No No No “Evernote’s ser­vice, Ever­note apps, and Ever­note web­sites … all use non-OpenSSL imple­men­ta­tions of SSL/TLS to encrypt net­work com­mu­ni­ca­tions.“Full State­ment
Last­Pass Yes Yes YesYes “Though Last­Pass employs OpenSSL, we have mul­ti­ple lay­ers of encryp­tion to pro­tect our users and never have access to those encryp­tion keys.”
Net­flix Unclear Unclear Unclear “Like many com­pa­nies, we took imme­di­ate action to assess the vul­ner­a­bil­ity and address it. We are not aware of any cus­tomer impact.”
OKCu­pid Yes Yes YesYes “We, like most of the Inter­net, were stunned that such a seri­ous bug has existed for so long and was so widespread.”
Sound­Cloud Yes Yes YesYes “We will be sign­ing out every­one from their Sound­Cloud accounts … and when you sign back in, the fixes we’ve already put in place will take effect.”
Spark Net­works (JDate, Chris­t­ian Mingle) No No No Sites do not use OpenSSL.
Wun­derlist Yes Yes YesYes “You’ll have to sim­ply log back into Wun­derlist. We also strongly rec­om­mend that you reset your pass­word for Wun­derlist.” Full State­ment

 

 

Leave a reply