Sign in with
Sign up | Sign in

Heartbleed: Which Passwords You Need to Change

By - Source: Tom's Guide US | B 5 comments
Tags :

Credit: Paramount PicturesCredit: Paramount Pictures

The Heartbleed Internet-security flaw is very bad, but contrary to many media reports, you don't have to run out and change all your passwords now. In some cases, it might be better to wait, or not do it at all.

First, to be clear, you don't need to change any passwords or PINs you use to log into a Windows PC, Mac or mobile device. For the most part, personal computers, smartphones and tablets are not directly affected by Heartbleed.

MORE: Heartbleed: Who Was Affected, What to Do Now

Heartbleed affects Web, email and chat servers by undermining the secure connections they make with you. Not all servers are affected, only those that used certain encryption protocols over the past two years. Most servers running Microsoft software, as well as servers that used other encryption protocols, are unaffected.

Furthermore, although Heartbleed was made public on Monday evening (April 7), some companies got advance warning and patched their vulnerable servers beforehand. Among these were Google, which helped find the flaw, and Facebook. (That doesn't mean they weren't hit before they patched; a Heartbleed attack would have left no trace.)

Most companies got no advance warning, including Yahoo, which scrambled to patch its servers Tuesday even as security researchers found it was easy to see usernames and passwords as users logged into Yahoo Mail.

Because of the complexity of the Heartbleed bug, and the way in which the news got out, there are six categories of websites that were affected in different ways.

The following lists only prominent U.S. websites; for a much more detailed list, see this breakdown of the top 10,000 websites worldwide, compiled Tuesday by former LulzSec hacker Mustafa al-Bassam.

Sites for which you will definitely need to change your password

Yahoo, including Yahoo Mail and any Yahoo Group

Flickr (Yahoo subsidiary)

Tumblr (Yahoo subsidiary)

MORE: Yahoo Mail and Heartbleed: How to Secure Your Account

Sites that have asked users to change their passwords, or are making them do so

Ars Technica


Sites that were, or may have been, vulnerable to Heartbleed

These sites patched their servers after the public disclosure, and it's safe to change your password on them.



Electronic Frontier Foundation






Sites that may still be vulnerable to Heartbleed

Do NOT change your password on any of these sites until they say they have patched their servers. Otherwise, attackers could capture your new password as well.

The Atlantic

The Economist




OK Cupid


Rolling Stone

Stack Overflow

Sites that patched their servers before the Heartbleed disclosure

These sites are at minimal risk, but were nevertheless vulnerable over the past two years while the Heartbleed flaw existed undetected. It wouldn't hurt to change your password on these — and to activate two-step verification on them, and on Yahoo too.

Blogger/Blogspot (Google subsidiary)


Google, including Gmail

Instagram (Facebook subsidiary)

YouTube (Google subsidiary)

MORE: How to Turn On Two-Step Verification

Sites that were never affected by Heartbleed and on which you don't have to change your password




Bank of America



Capital One










Huffington Post






The New York Times





TD Bank



The Wall Street Journal

Wells Fargo


Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

This thread is closed for comments
  • 1 Hide
    agnickolov , April 10, 2014 1:00 PM
    Alas, the full list is not that useful. Quite a few of the sites have no report, like that I checked -- says no SSL even though TigerDirect does use SSL for account login and shopping.
  • 1 Hide
    ddpruitt , April 10, 2014 3:03 PM
    I would argue that the value of the list between nil and none. The vulnerability has been around for 2 years and evidence suggests that hacker's have exploited the flaw. Google might be patched but what about a month ago? or a year ago? To be on the safe side passwords should be changed for any site unless they explicitly state that they haven't run OpenSSL at any time in the last two years.
  • 0 Hide
    tom10167 , April 10, 2014 9:03 PM
    According to Tom's there are... 50 websites on the internet.
  • Display all 5 comments.
  • 0 Hide
    back_by_demand , April 10, 2014 10:57 PM
    There was a link to 10,000 sites, don't be a prick
  • 0 Hide
    Paul Wagenseil , April 11, 2014 7:25 AM
    We ran through Alexa's Top 100 U.S. websites and manually ran checks against each one, using a different tool than Mustafa al-Bassam used to run his script against the top 10,000 Alexa global sites. If you'd like to manually run checks against every site on the Web, we will not stop you.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS