Heartbleed – which sites do you need to update your password for?
You have no doubt by now heard about the encryption flaw called Heartbleed. It has already been called one of the biggest security threats the Internet has ever seen and has affected many popular websites and services — ones you might use every day. Here’s a quick list of the most popular ones that may require you to update your details.
If you have accounts with Gmail (maybe) and Facebook (more than likely) the Heartbleed hole could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.
Due to the nature of the Heartbleed bug, you’ll need to wait until affected sites update their infrastructure before you change your passwords.
Handily, the LastPass Security Check tool now includes recommendations for Heartbleed, letting you know which sites have closed the hole, when, and if you should update yet.
To run the tool, just click on LastPass and check the site’s URL – here’s the result for Apple.com.
Obviously the list below is not extensive – check out the mahoosive one produced by GitHub. Thanks to Christian for the tip 🙂
Social networks
| Was it affected? | Is there a patch? | Change your password? | Company statement |
Unclear | Yes | Yes | “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to set up a unique password.” | |
No | No | No | “We didn’t use the offending implementation of OpenSSL in www.linkedin.com or www.slideshare.net. As a result, HeartBleed does not present a risk to these web properties.” | |
Tumblr | Yes | Yes | Yes | “We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.” |
Unclear | Unclear | Unclear | Twitter wrote that OpenSSL “is widely used across the internet and at Twitter. We were able to determine that [our] servers were not affected by this vulnerability. We are continuing to monitor the situation.” |
| Was it affected? | Is there a patch? | Change your password? | Company statement |
AOL | No | No | No | AOL says that it was not running the vulnerable version of the software. |
Gmail | Yes | Yes | Yes* | “We have assessed the SSL vulnerability and applied patches to key Google services.”*Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry. |
Hotmail / Outlook | No | No | No | Microsoft services were not running OpenSSL, according to LastPass. |
Yahoo Mail | Yes | Yes | Yes | “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.” |
Top tech companies
| Was it affected? | Is there a patch? | Change your password? | Company statement |
Apple | Unclear | Unclear | Unclear | Apple has not commented yet but see the LastPass result above. |
Amazon | No | No | No | “Amazon.com is not affected.” |
Yes | Yes | Yes* | “We have assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps and App Engine were affected; Google Chrome and Chrome OS were not.*Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry. | |
Microsoft | No | No | No | Microsoft services were not running OpenSSL, according to LastPass. |
Yahoo | Yes | Yes | Yes | “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.” Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched. More patches to come, Yahoo says. |
Shopping
| Was it affected? | Is there a patch? | Change your password? | Company statement |
Amazon | No | No | No | “Amazon.com is not affected.” |
eBay | Unclear | Unclear | Unclear | “The vast majority of our services were not impacted and our users can continue to shop securely on our marketplace.” |
PayPal | No | No | No | “Your PayPal account details were not exposed in the past and remain secure.” Full Statement |
Media and tools
| Was it affected? | Is there a patch? | Change your password? | Company statement |
Dropbox | Yes | Yes | Yes | On Twitter: “We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.” |
Evernote | No | No | No | “Evernote’s service, Evernote apps, and Evernote websites … all use non-OpenSSL implementations of SSL/TLS to encrypt network communications.”Full Statement |
Netflix | Unclear | Unclear | Unclear | “Like many companies, we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact.” |
SoundCloud | Yes | Yes | Yes | “We will be signing out everyone from their SoundCloud accounts … and when you sign back in, the fixes we’ve already put in place will take effect.” |
