The Heartbleed bug - what do you need to do?

11 April 2014 at 7:05 am

This week the web was rocked by a security bug nicknamed Heartbleed. In short, it’s a flaw in a commonly used security system that potentially two-thirds of websites use to keep information like usernames and passwords secure.

The flaw was discovered by security researchers in Finland in the last couple of weeks. By now, most sites that were vulnerable to the flaw have patched it.

There have been no confirmed instances of hackers or cybercriminals using this flaw to steal information. But that doesn't necessarily mean it hasn't happened, and the fact that the flaw dates all the way back to December 2011 means that personal information may have been compromised.

Here's a guide to which other sites have and have not been affected, and what exactly you should do about changing your passwords. This is not an exhaustive list.

Tthere are sites which are capable of checking whether a particular website is still vulnerable to Heartbleed. However, in an unpredictable and unhelpful twist, it has been pointed out (here) that doing so may in fact be illegal under the Computer Misuse Act.

But there is some good news: The login information for your online banking is almost certainly safe. Halifax, RBS, HSBC, Natwest, Lloyds, Barclays, Santander and Co-op have all confirmed that their systems were unaffected.

If in doubt, it is always a good idea to regularly change your online passwords. If a site has reported that it was vulnerable to Heartbleed, you should change your password but only if you are sure that they have since fixed the problem. If they have not, you may be at greater risk by changing.

Email providers
Here are the ones that were vulnerable:

• Yahoo Mail: It was affected. But now it has been patched. Yahoo Mail was vulnerable to attack but has since announced that it has been patched, along with other main Yahoo sites such as Yahoo Search, Finance, Sports, Flickr and Tumblr.

• Gmail: Was affected; now it's patched. Google says you don’t need to, but just to be safe, you should probably change your password for the following Google services: Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS were not affected.

And the ones that were not:

• AOL and Hotmail/Outlook.

Online shopping
Here are the ones that were vulnerable:

• eBay (partly): In a statement, eBay said "eBay is aware of the security vulnerability identified in a version of Open SSL, also known as the Heartbleed Bug. The vast majority of our services were not impacted and our users can continue to shop securely on our marketplace."

And the ones that were not:

• Amazon: Was not affected. Amazon Web Services, which is a totally different system used by website owners, was affected - so, smaller sites you use could have been affected if they used Amazon for their hosting. But this is nothing to do with shopping on Amazon.

• PayPal: Was not affected.

Social networks
Here are the ones that were vulnerable:

• Tumblr was affected, but it has since been patched.

• Facebook: Was affected. According to the Telegraph, Facebook became aware of the issue before it was made public and has taken steps to ensure it was secure.

Pinterest: In a statement, Pinterest said: "This week we took steps with many other websites affected by Heartbleed in acting quickly to secure accounts. We fixed the issue on Pinterest.com, and didn’t find any evidence of mischief. To be extra careful, we e-mailed Pinners who may have been impacted, and encouraged them to change their passwords."

And the ones that weren't:

• Twitter: Apparently Twitter has ascertained that none of its servers were using SSL, the security format which Heartbleed exploits.

• LinkedIn: Was not affected.

Other important websites
Here are some more sites that were vulnerable, and have now restored their security:

• Dropbox

• OkCupid

• SoundCloud

• Netflix

• Airbnb

And the ones that were not:

• Apple: An Apple spokesperson told Yahoo Tech that “Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.” So, no need to change your password.

• Microsoft

• Evernote

A list of sites which were originally vulnerable can be found here. Many of these sites will by now have fixed the problem but please check with them before changing any password information.

Daily Record
Tensions escalate as Tenerife told to get rid of Brits wearing popular item on beach
Opera star Ainhoa Arteta has spoken out following protests by locals against UK holidaymakers.
9 hours ago
Chronicle Live
Martin Lewis warns millions of UK drivers of £1,000 fines for 'annoying' £14 rule
The Money Saving Expert founder has warned that 3.6 million UK motorists are at risk of a £1,000 DVLA fine
6 hours ago
Wales Online
Drivers 'mind blown' after realising their car handle has 'secret' function
Many people have been left impressed after finding out about the 'little known' function they never knew existed
a day ago
Daily Record
Gemma Atkinson says Gorka 'left home five weeks ago' and she has 'no idea' where he is
Gemma Atkinson has spoken about her relationship with her fiance Gorka Marquez, including having discussed them being away from each other due to work commitments.
5 hours ago
Nottinghamshire Live
Drivers can slash 25 per cent off fuel costs by removing one item from their car
Motorists can save up to 25 percent on petrol and diesel by removing one item from their car, according to motoring experts. The item in question is a common sight on many vehicles
a day ago
Daily Record
ITV The Chase's Mark Labbett calls for medic as Bradley Walsh left in 'physical pain' over comment
The Chase viewers were left in stitches after The Beast 'called a medic' for Bradley after the ITV host was left gobsmacked by a contestant's remark.
20 hours ago
The Independent
Pub landlord stabbed to death by ex-sister-in-law seconds after calling police, court told
Stephanie Langley said ‘I’m glad I did it’ as paramedics tried to save him, court told
19 hours ago
The National
Nicola Sturgeon speaks out after husband charged by police
FORMER first minister Nicola Sturgeon has spoken out after her husband was charged in connection with embezzlement amid a police probe into the party's finances.
4 hours ago
Sky News
Warwick Davis's wife Samantha dies aged 53
Samantha Davis, the wife of Star Wars and Harry Potter actor Warwick Davis and herself an actress, has died aged 53. Samantha co-founded the dwarfism charity Little People UK and featured in the final Harry Potter film, alongside Warwick. Warwick announced the news in a statement to the BBC, revealing she had died on 24 March.
2 days ago
The Telegraph
JK Rowling is rightly turning her fury against those who colluded in the trans nightmare
Following the Cass Review, a riveting ding-dong has broken out on X (formerly Twitter) between JK Rowling and the TV presenter Kirstie Allsopp. In broad terms, Allsopp belongs to the Pollyannaish “Be kind to trans people” (what harm do pronouns do?) side.
a day ago
Bristol Live
Warning as Brits not aware of big change to enter EU countries in six months
Concerns have been raised that people have no idea of a massive post Brexit change which could lead to delays at airports
a day ago
Hello!
Prince Louis' surprising favourite hobby revealed by dad Prince William ahead of 6th birthday
Prince William has revealed his youngest son Prince Louis' favourite hobby ahead of his 6th birthday on Tuesday…
5 hours ago
Daily Record
Prince Harry and Meghan Markle 'in difficult position' over King Charles' Balmoral invite
King Charles is said to have extended an olive branch to his youngest son and his wife by 'hinting' they should visit Balmoral this summer - but it could put the couple in a 'difficult position'.
a day ago
Sky News
Targeted Israeli strike is a message - and Iran's response so far is telling
If this Israeli attack on Iran is no more than it presently appears to be, then it is rather well modulated. If the airbase at Isfahan has been attacked - home to the 8th Tactical Air Wing of the Iranian Air Force, and not a Revolutionary Guard installation - then the Israelis are making their point against a conventional military target. It is not an enrichment plant or a reactor, but the wide-ranging nuclear research conducted there involves some 3,000 Iranian nuclear scientists.
7 hours ago
OK! Magazine
Prince Harry and brother William ‘haven’t been truly happy together’ since key moment six years ago
Prince Harry and his brother Prince William were said to be inseparable - but one moment six years ago at Harry's wedding their 'happiness together' reportedly changed
18 hours ago
The Telegraph
Netanyahu has done what the world warned him not to
Israel’s strike on Iran on Friday morning will not come as a surprise to Western observers – but it will cause great concern in Washington and London as the region tips closer towards an all-out war.
12 hours ago
The National
Fiona Bruce scolds top Tory minister amid fiery Question Time clash
BBC Question Time host Fiona Bruce was forced to intervene and reprimand a Tory Cabinet Secretary after he launched a personal attack on another panellist ...
8 hours ago
Bristol Live
Holidaymakers warned as drug-resistant illness hits five European Union hotspots
The outbreak is believed to have been made worse at a festival and travellers are being warned about symptoms and how to avoid getting it
8 hours ago
Yahoo Life UK
‘After nine years together my husband agreed to a polyamorous relationship’
Alice Lovegood says asking her husband to be polyamorous has improved their relationship.
2 hours ago
Birmingham Live
Prince Harry drops major sign he has 'finally cut ties with the UK'
The Duke of Sussex has made a change on official documents
2 days ago

Latest stories