The Heartbleed Aftermath Drags On: What Passwords You Need to Change Now

image

This week the web was rocked by a security bug called Heartbleed. In short, it’s a flaw in a commonly used security system that potentially two-thirds of websites use to keep information like your passwords secure.

As I mentioned yesterday, all you can really do about the flaw is change your passwords. But it’s best to wait to do that until a website has fixed everything. Otherwise you could very well be handing over your new password to an undetected attacker.

By now, most sites that were vulnerable to the flaw have patched it.

Some good news first: The login information for your bank is most likely safe. The following financial institutions have not been affected by Heartbleed: Bank of America, Chase, E*Trade, Fidelity, PNC, Schwab, Scottrade, TD Ameritrade, TD Bank, U.S. Bank, and Wells Fargo.

And now it’s time for everyone’s faaaaavorite game: What Passwords Do I Need to Change Today?

First up:

Email providers
Here are the ones that were vulnerable:

• Yahoo Mail: Was affected! But patched. You should change your password.

• Gmail: Was affected! But patched. A Google representative told Mashable you need not change your password. But you should probably do it anyway, just in case.

And the ones that were not:

• AOL: Was not affected. You do not need to change your password.

• Hotmail/Outlook: Was not affected. You do not need to change your password.

Hey, that was a fun round. Now let’s move on to …

Online stores
Here are the ones that were vulnerable:

• Amazon Web Services (for website operators): Was affected. If you use Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk, or Amazon CloudFront, you should change your password.

• eBay: Was probably not affected. But you should change your password just in case.

• GoDaddy: Was affected! But patched. You should change your password.

And the ones that were not:

• Amazon: Was not affected. You do not need to change your password.

• PayPal: Was not affected. You do not need to change your password.

• Target: Was not affected. You do not need to change your password.

Tax- and government-related
None of the big ones were vulnerable!

• Intuit (TurboTax): Was not affected. You do not need to change your password.

• Healthcare.gov: Was not affected. You do not need to change your password.

• 1040.com: Was not affected. You do not need to change your password.

• FileYour Taxes.com: Was not affected. You do not need to change your password.

• H&R Block: Was not affected. You do not need to change your password.

• IRS: Was not affected. You do not need to change your password.

Social networks
Here are the ones that were vulnerable:

• Tumblr: Was affected! But patched. You should change your password.

• Twitter: Unclear. It’s “monitoring the situation.” So maybe wait a few more days and then change your password.

• Facebook: Unclear! It has “added protections,” so it’d be best to change your password.

And one that was not:

• LinkedIn: Was not affected. You do not need to change your password.

Other important websites
Here are the ones that were vulnerable:

• Google: Was affected! But patched. Google says you don’t need to, but just to be safe, you should probably change your password for the following Google services: Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS were not affected.

• Yahoo: Was affected! But patched. You should change your password.

• Dropbox: Was affected! But patched. You should change your password.

• OkCupid: Was affected! But patched. You should change your password.

• SoundCloud: Was affected! But patched. You should change your password.

• Wunderlist: Was affected! But patched. You should change your password.

• IFTTT: Was affected! But patched. You should change your password.

• Netflix: Was affected. But patched. You should change your password.

And the ones that were not:

• Apple: An Apple spokesperson told Yahoo Tech that “Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.” So, no need to change your password.

• Amazon: Was not affected. You do not need to change your password.

• Microsoft: Was not affected. You do not need to change your password.

• Evernote: Was not affected. You do not need to change your password.

• Dashlane: Was not affected. You do not need to change your password.

And that concludes this week’s episode of “Secure or Not?” We’ll see you back here next time someone breaks the Internet. A special hat-tip to Mashable, from whom we sourced some of this info.

In the meantime, check out my colleague Rafe Needleman’s column on how to create super-strong passwords.

Follow Alyssa Bereznak on Twitter or email her hereFollow Yahoo Tech on Facebook right here for all the latest tech news.