What does Heartbleed mean for you?
You may have recently read articles about the Heartbleed bug and how it has the potential to compromise every password you use to access Internet sites. This bug is found in software called OpenSSL, which helps make sure the information you send to web sites is secure. If the Heartbleed bug affected a website where you have to login—such as your email, online banking, online shopping, or social media—then a cyber criminal could have learned your user name and password. That criminal could then use your username and password to log into the same website. (Remember that this is only true if the website has the Heartbleed bug.)
About the Heartbleed bug
Heartbleed is a vulnerability in the encryption technology that many websites use to protect information, such as names, addresses, passwords, and credit cards numbers. The vulnerability has been found in several websites for email, banking, online shopping, and social networking that use OpenSSL software. The bug can allow someone to obtain data provided over the Internet even if the site appears to be secure, i.e., the URL begins with “https://” or “shttp://". Even if the padlock symbol is displayed in the URL bar, this bug means that the site may still be unsecure. There is a patch for this vulnerability in the OpenSSL encryption software that websites can implement to fix the problem and many websites have already implemented the patch. It is also important to understand that this is a fluid situation and the scope and scale will continue to evolve as we dig deeper into the vulnerability.
Tips for Consumers
Many major websites are telling their users to change their passwords immediately. Other sites have made it clear to users that they were unaffected and that user information is safe.
The Department of Homeland Security’s Stop.Think.Connect.™ Campaign offers these tips to consumers to help protect themselves from Heartbleed and other potential vulnerabilities:
- Check to see if websites you frequently use were ever vulnerable to Heartbleed. Many websites are posting this information on their website. Others may proactively reach out with emails (however, be wary of spearphishing scams as noted below). There are also third-party websites that allow you to check on a site’s vulnerability. If you are not sure if a website has taken the appropriate actions or was vulnerable, you may also try contacting their customer service directly.
- Website providers need to take several actions to protect their sites if they were affected. Change your password once you’ve confirmed that those affected websites have taken all the steps necessary to make the website secure. Begin with the sites that contain your most sensitive personal information, such as banking and credit card websites, email, and social media accounts.
- If you re-use the same password for multiple websites, you should change that password at every website, even if that website wasn’t vulnerable. It’s good practice to have a different password for every website. If you did not re-use your password and a website was never vulnerable to Heartbleed, you do not need to change your password for that site.
- Be aware of possible phishing attacks. If you receive an email claiming to be from your email provider, bank, or another website you frequently log onto prompting you to change your password, make sure the email is legitimate. To be safe, go directly to websites to change your password, and type the link yourself rather than clicking on links embedded in emails.
- Closely monitor your credit and accounts for suspicious activity. Keep an eye out for purchases you didn’t make, or messages you didn’t send or post over the next few weeks.
- Ensure websites that require personal information are secure. Whenever a website requires you to provide personal information, such as your credit card or bank account number, make sure the URL begins with “https://” or “shttp://".
The Stop.Think.Connect.™ Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. For more cyber resources and tips, please visit www.dhs.gov/stopthinkconnect.