Warning: Hearbleed Vulnerability Compromises Login Information Across the Board

The Hearbleed bug went undetected for two years and compromised systems and networks across the board.

The Heartbleed vulnerability went undetected for about two years and can be exploited without leaving a trace, so experts and consumers fear attackers may have compromised large numbers of networks without their knowledge.

Companies and government agencies are now rushing to understand which products are vulnerable, then set priorities for fixing them. They are anxious because researchers have observed sophisticated hacking groups conducting scans of the Internet this week in search of vulnerable servers.

"Every security person is talking about this," said Chris Morales, practice manager with the cybersecurity services firm NSS Labs

Rueters

This is the long list of compromised passwords and usernames - across the board.

Email providers
Here are the ones that were vulnerable:

• Yahoo Mail: Was affected! But patched. You should change your password.

• Gmail: Was affected! But patched. A Google representative told Mashable you need not change your password. But you should probably do it anyway, just in case.

And the ones that were not:

• AOL: Was not affected. You do not need to change your password.

• Hotmail/Outlook: Was not affected. You do not need to change your password.

Hey, that was a fun round. Now let’s move on to …

Online stores
Here are the ones that were vulnerable:

• Amazon Web Services (for website operators): Was affected. If you use Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk, or Amazon CloudFront, you should change your password.

• eBay: Was probably not affected. But you should change your password just in case.

• GoDaddy: Was affected! But patched. You should change your password.

And the ones that were not:

• Amazon: Was not affected. You do not need to change your password.

• PayPal: Was not affected. You do not need to change your password.

• Target: Was not affected. You do not need to change your password.

Tax- and government-related
Here are the ones that were vulnerable:

• Intuit (TurboTax): Was affected! But patched. You should change your password.

And the ones that were not:

• Healthcare.gov: Was not affected. You do not need to change your password.

• 1040.com: Was not affected. You do not need to change your password.

• FileYour Taxes.com: Was not affected. You do not need to change your password.

• H&R Block: Was not affected. You do not need to change your password.

• IRS: Was not affected. You do not need to change your password.

Social networks
Here are the ones that were vulnerable:

• Tumblr: Was affected! But patched. You should change your password.

• Twitter: Unclear. It’s “monitoring the situation.” So maybe wait a few more days and then change your password.

• Facebook: Unclear! It has “added protections,” so it’d be best to change your password.

And one that was not:

• LinkedIn: Was not affected. You do not need to change your password.

Other important websites
Here are the ones that were vulnerable:

• Google: Was affected! But patched. Google says you don’t need to, but just to be safe, you should probably change your password for the following Google services: Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS were not affected.

• Yahoo: Was affected! But patched. You should change your password.

• Dropbox: Was affected! But patched. You should change your password.

• OkCupid: Was affected! But patched. You should change your password.

• SoundCloud: Was affected! But patched. You should change your password.

• Wunderlist: Was affected! But patched. You should change your password.

• IFTTT: Was affected! But patched. You should change your password.

• Netflix: Unclear. So maybe wait a few more days and then change your password.

And the ones that were not:

• Apple: An Apple spokesperson told Yahoo Tech that “Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.” So, no need to change your password.

• Amazon: Was not affected. You do not need to change your password.

• Microsoft: Was not affected. You do not need to change your password.

• Evernote: Was not affected. You do not need to change your password.

• Dashlane: Was not affected. You do not need to change your password.

What Passwords you Need to Change Now

It doesn't appear they are primarily after money or social security numbers - just a guess. Or - the sites unaffected are just more difficult to get to. They didn't hit healthcare.gov or things like amazon.com. Why are they trying to get to Internet services like godaddy and the amazon ones? Maybe a back door into every businesses' information. That one bothers me so will check into it. The email thing - happens so often I just don't put anything personal in them anymore.

People that do this stuff don't seem to get caught and only get better at their abilities. If someone can create it someone else can compromise it so the internet can never be completely safe.

reply to post by Dianec


I had a text from google

Which read:
Подозрительный вход в аккаунт "*where my email was" (см.google.com/signins)

Followed by another which read:

Пароль аккаунта "where my email was изменен (см. google.com/password)?

Not sure why google would send it in Russian.

reply to post by SUPERT303


That is really odd, I assumed it was because you spoke Russian.

reply to post by Dianec


I think it is a vulnerability - was it a back door or a mistake? Are you able to find out? Anyway, I don't think it was an "active" threat unless someone knew about the vulnerability and exploited it. It looks like coding error at first glance, not sure.

Well, after reading about this in another thread, and being advised not to change any passwords unless the website in questioned asked me to, I paid no attention to it. Well this morning I got my first notification via email from *Pinterest, that I needed to change my password because the site had been compromised. So far, nothing else has.

reply to post by AccessDenied


I went to TheEconomist.com today and they had a warning across the top of their page that they had just patched their systems in order to fix the heartbleed vulnerability, but it was advised to change your password anyway.

So strange, I did a search before posting this O.P. and didn't find anything then. I have bad luck with that. Now I find a ton of threads on it.

reply to post by darkbake


Yeah, it just took time for sites to fix things and put the word out. My husband got a notification about his tumblr account as well. No big deal really.