A group of security researchers uncovered a major vulnerability in the encryption technology used by millions of websites.
Heartbleed is a security flaw discovered by security firm Codenomicon and members of Google Security. It's found in OpenSSL, which is used to protect sensitive data such as e-mails, passwords or credit card data.
Here are three key questions about the vulnerability:
1. What is Heartbleed?
It's a major bug that affects the technology used to encrypt sensitive information. Ever log in to e-mail or your banking account and notice the "HTTPS" and green lock? That's SSL/TLS, and OpenSSL is among the most popular variants of it.
Heartbleed is a leak in that system that lets anyone read the memory of servers running OpenSSL. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content," reads a statement from a Heartbleed website set up by Codenomicon to explain the bug. "This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
Codenomicon says it's not clear whether the vulnerability has been abused, but since Heartbleed has been exploitable for a long time, it's difficult to determine whether any service is completely safe.
2. What sites are affected?
Citing an April survey from research site Netcraft, Codenomicon's Heartbleed website says roughly two-thirds of active sites on the Internet run OpenSSL. So, yeah, a lot.
Among the big names affected was Yahoo, which is running OpenSSL. In a statement to the AP, Yahoo says its bigger services such as Finance and Tumblr have been fixed, but they're still working on other Yahoo products. Tumblr is urging its users to change their passwords as soon as possible.
"We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue," says Tumblr.
A Heartbleed test has been created that lets users plug in a website name to determine if it's safe. Qualys also hosts a similar inspection of SSL. Vox reports Google and Facebook have addressed the issue, while Microsoft is monitoring the situation. Amazon says it updated its services to address the bug.
3. How can I protect myself?
That's the tricky part. AlienVault Labs Director Jaime Blasco says Web users may want to hold off changing passwords until affected services confirm that they've patched the security hole.
"The fact is if you change your password now, and the service hasn't been patched, then there is a risk that an attacker can steal your current credentials and use them to compromise your account," says Blasco.
Codenomicon says many large consumer sites should be safe, but sites that will likely feel the strongest impact are "smaller and more progressive services or those who have upgraded to latest and best encryption."
Gerry Egan, senior director of product management at Symantec, says sites powered by bigger companies are likely safe since they employ full-time security departments to monitor issues. "I'm sure within hours they were taking remedial action and the issue was put to bed."
It's clear many Internet users will soon be busy updating their accounts across all services. "This might be a good day to call in sick and take some time to change your passwords everywhere," says Tumblr.
Egan says Heartbleed should also serve as another reminder for Web users to practice proper password etiquette, such as not using one password for multiple services. "We believe a lot of users take shortcuts in their usernames and passwords," he says. "While the big sites might have fixed this issue, if the smaller sites haven't and one of those gets attacked, that credential is potentially in their hands."