Heartbleed: Who Was Affected, What to Do Now

Credit: Codenomicon

(Image credit: Codenomicon)

UPDATED 9:15 AM EDT Thursday to remove Twitter from list of affected sites, and add OKCupid.

If you've been following the news for the past 24 hours, you've probably heard of the Heartbleed bug that's affecting the security of millions of websites. It's a big deal, with security experts using terms such as "catastrophic" and "devastating."

Unfortunately, there's not a lot the end user can do to fix things. Heartbleed mainly creates problems on Web and email servers. Windows PCs, Macs and mobile devices aren't directly affected, and antivirus software has no impact on Heartbleed. Systems administrators are scrambling to patch server software, but average Internet users have to wait it out.

MORE: 'Heartbleed' Bug Kills Security on Millions of Websites

However, there are a few things every Internet user should do right now. (If you can't wait to see which sites are affected, skip to the end of this story.)

Change your Yahoo, Flickr and Tumblr passwords.

Like millions of other websites, Yahoo and its subsidiaries Flickr and Tumblr were vulnerable to Heartbleed. Unlike many prominent sites, these did not patch their systems before the Heartbleed bug became public knowledge Monday evening (April 7).

Security researchers yesterday (April 8) used Heartbleed to capture usernames and passwords as random people logged into their Yahoo Mail accounts. If the good guys were doing that, you can bet the bad guys were too.

If you used your Yahoo username-password combination to log into other online accounts, change the passwords on those accounts as well.

Consider changing your Google, Facebook and Dropbox passwords.

Each of those services used the affected software and have confirmed they were vulnerable to the Heartbleed bug in the past two years. (Scroll down to see a list of other prominent affected sites.)

We haven't heard of anyone trying to use Heartbleed against those services, but one of the tricky things about a Heartbleed exploit is that it would leave no trace. System administrators simply wouldn't know if they'd been attacked.

MORE: Heartbleed: Where to Change Your Passwords

On your mobile device, log out of all apps, then log back in.

Mobile apps use authorization tokens to keep you permanently logged into Gmail, Dropbox, Yahoo Mail and so on. Attackers could have used Heartbleed to capture those tokens and gain access to your account. But manually logging out of those mobile services, then logging back in a few minutes later, will clear those old tokens and replace them with new ones.

If a service asks you to change your password, do so.

Heartbleed creates a mess for system administrators, and some sites may take days to sort everything out. Even if you change your passwords now, some sites may still be working on the problem and may want you to do it again next week.

If you have a Linux desktop computer, update the OS.

Ubuntu Linux is vulnerable, which means its derivations Linux Mint and SteamOS probably are, too. Other Linux distributions also used the affected software; a more complete list is available at Heartbleed.com.

Set up two-factor authentication everywhere you can.

Two-factor authentication, also known as two-step authentication or two-step verification, makes you enter a code texted to your mobile phone every time you log into a service from a new computer or device. Unless an attacker, even one who used Heartbleed to capture your username and password, literally has your phone, he or she can't log in.

Google, Facebook, Twitter, Yahoo, Dropbox Microsoft and LinkedIn all offer two-factor authentication, and Apple provides it for iTunes accounts (but not iCloud).

MORE: How to Turn On 2-Step Verification

Check websites yourself for the Heartbleed vulnerability.

Various services have sprung up to check which websites have been affected by Heartbleed. There's a list, compiled yesterday by former LulzSec hacker Mustafa al-Bassam, that tells you which of the top 10,000 sites on the Web are vulnerable to Heartbleed; there's also a real-time Heartbleed checker that tells you which sites are vulnerable now, and even a Chrome browser extension called Chromebleed based on that checker.

None of those, however, can tell you whether a site was vulnerable in the past. For that, use Netcraft's Site Report tool. Enter a URL and then check the results: you'll be looking for "Supported TLS Extensions" under the "SSL/TLS" heading. If "RFC6520 heartbeat" is listed, then the site was vulnerable and you should consider changing your password for it.

(Caveat: Facebook passes the Netcraft test, but a Facebook representative told us that the site did indeed use the affected software before the Heartbleed bug was disclosed.)

Look at the bright side.

Believe it or not, there's some good news in all of this. Most servers that run Microsoft software weren't affected by Heartbleed, and plenty of other sites, including Apple, Amazon, eBay, Paypal and most major banks, weren't either.

Systems administrators are going to have a busy week, but it'll be an opportunity for them to implement other security upgrades they've been putting off. You should do the same by creating new, strong passwords for every important online service you use, and implementing two-factor authentication wherever you can. Consider using a password manager, a piece of software that can create and manage strong, unique passwords for each online account you have.

Who was, and who wasn't, affected by Heartbleed

Prominent sites and services openly attacked using Heartbleed, for which you absolutely have to change passwords: Yahoo and, by association, its subsidiaries Flickr and Tumblr.

Prominent sites that have sent out Heartbleed-related password-change emails: Ars Technica, IFTTT.com.

Prominent sites and services formerly vulnerable to Heartbleed attacks, for which you probably should change passwords: Blogger/Blogspot, Dropbox, Facebook, Electronic Frontier Foundation, Etsy, Google, Imgur, Instagram, Netflix, OKCupid, Pinterest, Stack Overflow, Wikipedia, Woot, Wordpress.com/Wordpress.org and YouTube.

Prominent sites and services that don't appear to have been vulnerable to Heartbleed (but we can't be certain): Amazon, AOL, Apple, Ask.com, Bank of America, Bing, Buzzfeed, Capital One, Chase, CNET, Craigslist, eBay, ESPN, Evernote, GoDaddy, Hotmail, HSBC, Huffington Post, Intuit, LinkedIn, Live.com, Microsoft, Newegg, The New York Times, PayPal, Reddit, Salesforce, Target, TD Bank, Twitter, Walmart, Wells Fargo and Zillow.

If you want the gory technical details on what Heartbleed is and how it works, visit Heartbleed.com, read this excellent but dense explanation of Heartbleed by Australian security researcher Troy Hunt or watch this video by security researcher Zulfikar Ramzan.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.