The internet security bug known as “heartbleed” announced this week has stunned everyone since it affects more than half a million widely-trusted websites and has been in place for about two years before being identified. (Please share this information with anyone who you think may not be aware of what action to take.)
Some security experts are advising changing all of your passwords, but before you do, here’s what you need to know:
French-test.com and Kwiziq.com
Were we affected: Yes
Has it been patched: Yes
Do you need to change your password: Almost certainly not (see below).
Technical details: We’re not advising users to change passwords with us; however, you should check the list of sites below and change any that store sensitive information about you, especially financial details like credit cards. Our sites are not high-risk because:
1. We generate a random initial password for you. This guarantees your password with us is different to your other accounts and therefore can’t be stolen and used to access any other sites.
2. We don’t store any "stealable" information about you, just your email address. For example, we never store payment card details; they’re all held by PayPal (who, by the way, were not affected by this bug).
3. We’re still quite new and small and extremely unlikely to be a target.
4. However, if you want to play on the safe side, you can easily change your password here.
Which passwords on other sites should you change?
Firstly, there’s no point changing passwords with any site until they have confirmed they have patched the problem.
Here’s a brief explanation of the problem. There are two types of web pages: secure web pages (these have https:// at the beginning and the ‘s’ means secure) and then plain text web pages (beginning with http://). Most websites serve a combination of these, only switching to secure connections when dealing with sensitive information such as logging in, passwords, card transactions, etc. All other web pages are sent over the internet plain text and can be "snooped".
The heartbleed bug means that a hacker who knows of the bug and how to exploit it (which is not easy) can potentially snoop on some secure connections and steal email addresses, passwords, and credit card information if that’s what the webpage was sending to and from your computer at the time.
Since the bug has been around for two years, a lot of pages thought to be secure were potentially vulnerable, although that doesn’t necessarily mean anything was broken into.
Major sites that were affected and likely to have been targeted
YOU SHOULD CHANGE PASSWORDS IF YOU HAVE ACCOUNTS WITH THESE WEBSITES.
Sites not affected
Most bank websites claim not to have been affected: they don’t use OpenSSL, so this is reasonable. But do check yours.
Two other popular websites are also not affected: AOL, Amazon.
If in doubt, do change your password after ensuring that the bug has been patched.
General advice about passwords
1. Don’t reuse the same passwords on different websites. Use a separate password for each website, so if one is stolen it can’t be used to open any other (think of them as keys to houses, make sure they’re different).