Q&A: how to protect yourself from the Heartbleed bug

10 April 2014

Sensitive personal details could have been stolen from half a million websites by a "catastrophic" cyber attack using a virus called Heartbleed.

The bug, which has affected a range of popular websites including Yahoo!, means information such as name, address, credit card details and passwords, could have fallen into the hands of hackers.

While technology experts are urging anyone using the internet to change their passwords immediately, some fear that doing so could cause further problems.

Here's our guide to what is known about the attack:

What is heartbleed?

Cyber security expert Bruce Schneier defines it as a bug that allows anyone on the internet to read the memory of the systems protected by vulnerable versions of the OpenSSL software.

OpenSSL is what's used to help encrypt traffic while surfing the web and you might recognise it as the technology behind the padlock that appears at the start of an https web address, which tells you the website is (meant to be) secure.

Tumblr explains the attack to its users in this way: "The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit."

What information could have been stolen?

Any personal details entered into supposedly secure websites - name, address (email and postal), date of birth, credit card and debit card details, phone numbers and the passwords used to log-in to the websites in the first place.

How long has it been in existence?

While it was only 'discovered' by web experts on Monday 7 April 2014, they fear it could have been infecting cyber space for the past two years.

What is being done about it?

A way to close the 'security hole' has been found and IT experts across the world's biggest websites have been 'patching' the problem. Here's what the major websites implicated have been doing about it:

Google: Believes it has "inoculated itself against the Heartbleed bug before any damage could be done". The Associated Press newswire reports that Google "is telling its users they don't have to change the passwords they use to access Gmail, YouTube and other product accounts."

Facebook: Also thinks it's done enough to tackle the threat but is urging "people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites".

Twitter: Says it wasn't affected.

Amazon: Says it wasn't affected.

Ebay (which runs PayPal): Says most of its services avoided the bug.

Yahoo!: Says it has repaired services affected, including its home page, search engine, email, finance and sport sections, Flickr photo-sharing service and its Tumblr blogging service. It is now asking users to "rotate their passwords" and add a backup mobile number to the account.

Will 'patching' be enough to solve the problem?

David Chartier, chief executive of Codenomicon - which diagnosed Heartbleed - says there is still much to be concerned about. "I don't think anyone that had been using this technology [OpenSSL software] is in a position to definitively say they weren't compromised," he says.

"It's hard to know who has done what and what is safe," he added.
Why don't experts agree about whether to change passwords?

Lots of websites are telling their users to change their passwords immediately to protect their details. But some experts say doing so could play further into hackers' hands as they might be able to see the old and new passwords if a website hasn't already been patched.

What should you do?

If security can't agree, Moneywise won't tell you either. But we would encourage you to keep a very close eye on all of your bank and email accounts and report anything unusual immediately.

Add new comment