Due to a programming error there is a serious security vulnerability in certain versions of widespread cryptographic software library OpenSSL. This weakness lays open the potential for the theft of information such as, usernames and passwords, emails, instant messages and banking details, in fact any information that you send or have sent across the internet using this popular back office architecture.
Estimates suggest that the majority of internet traffic uses a version of this architecture although not necessarily the vulnerable version.
How do I know if my information has been compromised?
It may be that this security flaw has been exploited by cyber criminals for many months already. It is possible to remove such sensitive data without detection for vulnerable systems and as such, your information may already be in the hands of those who will use it in an attempt to steal from you. In short, you cannot know.
How to I protect myself against Heartbleed?
Lists of web sites open to this exploit are being compiled and may be a good starting point but will not be comprehensive. The appropriate course of action is to minimize the potential for exploitation of any of your data that may already have been captured by making it obsolete. To do this you must change the passwords you use to access online services starting with your most sensitive data such as banking and email. Even if you have been assured that your data stored with a particular service is safe, if you have stored an identical password with an unsecured site, you are at risk.
Protect yourself from the Heartbleed vulnerability by changing your passwords on sites where the export has been patched. It is important to check that the SSL certificate has been changed prior to changing your password.
Whilst we have been informed that SFN's servers are not running the vulnerable version of OpenSSL I would advise a change in any case.
If you don't already, use a password manager such as LastPass https://lastpass.com
Already done. It comes from Amazon's Dublin ip address, there isn't a link in the email, so I think it is genuine - despite a small punctuation error......
I think that given what an attacker needs to do to recover a password, and that of all the web sites that were potentially vulnerable only some 17% had the relevant functionality activated, the chances of your password or bank details having been stolen are very slim indeed.
You may also be relieved to hear that although the problem code was present for two years, analysis of traffic logs showed that prior to the bug being made public there was no detectable evidence of it being exploited. Once it went public there were exploits in progress in under 10 minutes.
On the other hand if you have had the same password on some sites for a long long time then now is a good time to change them.
I have come to the conclusion that we had the answer all along - change passwords regularly. With a memory like mine, I need a password manager like LastPass to do it all for me. Then I only have to remember one password. Should be able to manage that.........
The advice seems to be to wait until the problem is fully sorted before changing passwords and limiting Internet access in the meantime.
I noticed that Caisse d'Epargne's website has not allowed access to accounts for a couple of days, but is now back in business. Could (or may not be) connected with Heartbleed.
The sensible thing would be for the financial institutions and social networking sites to notify users when it is the right time to change passwords, What's the betting they do that?
I checked 4 financial sites that I use and need to use, the report came back that they all were OK or had been fixed. I would assume that unimportant, incidental sites don't require a change of password, so long as it is different than the password for your important sites.
