Photo: REUTERS/Pawel Kopczynski
By now, you may have heard about a major online security flaw called Heartbleed. In short, it’s a bug in a commonly used security system that potentially two-thirds of Internet sites use to keep your sensitive information (like your password) safe. A group of researchers discovered it Monday evening, and major websites have been scrambling to patch the error.
What can you personally do about it? In a nutshell: Wait, and then change your passwords.
Any vulnerable site that you’ve given your sensitive information to may still be working to fix the problem. Meaning you should wait to change your password after the site has officially announced a patch. Otherwise, anyone who has exploited the flaw could pocket your new login info, too.
How can you tell when it’s safe to change your password on any given site? We’ve put together a list of which of the top-trafficked sites in the United States were vulnerable to the bug (per a check done by the open-source code site GitHub on April 8), with our own updates.
A quick key: “Not vulnerable” means the site was never exposed to the flaw in the first place. “No SSL” means the site in question doesn’t use the encryption tool that was found to be faulty. “Was vulnerable” means you should go to your site and change your password now.
1. Google.com: Not vulnerable.
2. Facebook.com: Not vulnerable.
3. YouTube.com: Not vulnerable.
4. Amazon.com: Not vulnerable.
5. Yahoo.com: Was vulnerable. Yahoo Mail was vulnerable to attack but has since announced that it has been patched, along with other main Yahoo sites such as Yahoo Search, Finance, Sports, Flickr and Tumblr.
6. Wikipedia.org: Not vulnerable.
7. LinkedIn.com: No SSL.
8. eBay.com: No SSL.
9. Twitter.com: Not vulnerable.
10. Craigslist.org: Not vulnerable.
11. Bing.com: No SSL.
12. Pinterest.com: Not vulnerable.
13. Blogspot.com: Not vulnerable.
14. Go.com: Not vulnerable.
15. CNN.com: No SSL.
16. Live.com: No SSL.
17. PayPal.com: Not vulnerable.
18. Instagram.com: Not vulnerable.
19. Tumblr.com: Was vulnerable. Tumblr was vulnerable to attack, but Yahoo has since announced that it has been patched.
20. ESPN.go.com: Not vulnerable.
21. WordPress.com: Not vulnerable.
22. Imgur.com: Not vulnerable.
23. HuffingtonPost.com: No SSL.
24. reddit.com: Not vulnerable.
25. MSN.com: No SSL.
GitHub’s survey found that other well-known sites like OkCupid, Flickr, Imgur, WeTransfer, and Slate were all vulnerable at one point. Flickr, OkCupid, Imgur, and Slate have been patched, so you’re clear to update your passwords for those site. We’re waiting to hear from WeTransfer.
If you’d like to see if a specific site is vulnerable to Heartbleed, you can enter the URL at this site.
If you want to be extra safe, you can also install the Chromebleed extension for Google Chrome. This extension will warn you when you stumble upon a site that’s vulnerable to the Heartbleed bug, so that you know not to enter any sensitive information.
Finally: Just because a site was never vulnerable doesn’t mean your password is safe. If you use the same password for multiple websites, it’s probably best to change all of them, even if the site in question wasn’t vulnerable. Attackers could use login information they’ve gathered from other sites to break into other accounts.
Oh, and while you’re changing your passwords, make sure you use our guide to choosing a good one. Because if your password is “123456,” it’s not keeping hackers out anyway.
Update: We’ve received notifications from the following companies that they’ve patched any vulnerabilities in their networks.
Update your passwords accordingly!
[UPDATE: Here’s an even more comprehensive list of sites affected by Heartbleed]