The reveal this month about the Heartbleed bug's existence has sent the internet into a panic.
The glitch, which allows encrypted information such as passwords to be exposed to hackers in plain text, sent Yahoo, Google and other major websites scrambling to fix the vulnerability. Users have been cautioned to change passwords on many popular websites as a result of the exploit.
While the glitch is arguably one of the most serious the internet has faced, it can be difficult to figure out how this issue affects individual users, especially on such a complex topic. Here are some myths and facts about the Heartbleed bug.
Myth: All internet passwords have been compromised by Heartbleed.
While many passwords are at risk because of Heartbleed, the exploit only affects servers running certain versions of the OpenSSL security protocol. Passwords on sites like Facebook, Apple, LinkedIn and others are not affected by the Heartbleed vulnerability.
Fact: The exploit has affected major websites such as Yahoo and Lastpass
Because of the popularity of OpenSSL as a means to encrypt sensitive information, any website that used the protocol faced security concerns. Some key websites affected by the vulnerability include Facebook, Instagram, GoDaddy and Netflix.
Yahoo is one of the largest websites affected by the Heartbleed vulnerability because of its many online properties, and the company immediately scrambled to patch its servers. Another notable vulnerable website is LastPass, the password manager service. Users should change their passwords on these and other affected services as well as any of those passwords reused on other sites.
Google previously used the affected version of OpenSSL, but the company indicated that users do not need to change their passwords. A list of websites where users should change their passwords can be found here.
Mostly Myth: There has been widespread exploitation of passwords and other sensitive information.
Part of the Heartbleed bug's danger lies in the fact that it leaves little to no evidence if someone exploits it. But, it appears that knowledge of Heartbleed's existence is relatively recent despite the flaw existing in the OpenSSL protocol for several years.
Because of this, any suspected attacks via the Heartbleed bug are difficult to confirm, but many affected web services believe their individual users did not suffer compromised passwords before the bug's announcement. Still, users should review digital security measures and make sure they're taking precautions to protect themselves online such as strong passwords and two-factor authentication.
Fact: Up to one third of all websites are vulnerable to the Heartbleed bug
A large portion of websites used the versions of OpenSSL susceptible to Heartbleed, which adds to the inherent vulnerability for the internet as a whole. It's estimated that one third of all websites run the version of OpenSSL susceptible to the bug, but most of those sites patched the bug in the last few weeks. Users can check affected websites here.
Mostly Myth: Bank accounts have been affected by the Heartbleed bug.
The news about Heartbleed prompted many to speculate that sensitive information such as bank account logins and transactions may be at risk, but many financial institutions said in the wake of the bug's discovery that their systems don't use the version of OpenSSL affected by the glitch. Users should frequently change bank account passwords and enable two step authentication if available.
Fact: Users should change their passwords on affected websites as well as use stronger passwords and two-factor authentication.
The existence of the Heartbleed bug sheds light on the vulnerability of information on the internet as well as the importance of strong passwords and extra layers of authentication when available.
Users should change their passwords on affected websites and any other site reusing those same passwords while also increasing their online security through the use of stronger passwords and two-factor authentication. Many major websites offer two-factor authentication, which allows users to confirm their identity through text messages or smartphone code-generating apps. Users can find tips for setting up two-factor authentication in this article.
Myth: Tax filings with the IRS are exposed to the Heartbleed bug.
News of the Heartbleed bug came in the days and weeks leading up to the April 15 tax deadline, and many users wondered about the security of their online tax filings. The IRS indicated that filings from American users are not affected by the Heartbleed bug, but the Canada Revenue Agency experienced an attack as someone stole up to 600 social security numbers from a server via the Heartbleed bug.
Unclear: The NSA exploited the Heartbleed bug for years before its discovery.
One of the theories about Heartbleed that has gained some traction involves the possibility that the NSA used the Heartbleed vulnerability to steal passwords in between the time when programmers accidentally coded in the exploit several years ago and its recent discovery. The NSA denies exploiting the vulnerability and its usage is difficult to track, so this theory can't currently be proven or discredited.