Heartbleed Effect: Passwords You Need to Change Now

toggle-button

Last updated by v.laurie on 25. November 2020 - 12:04

It's a pain but we are all going to have to bite the bullet and change passwords at sites that may have been affected by the Heartbleed securty exploit. Some helpful people have been compiling lists of sites where a password change is indicated. For example, a list of some major sites showing those which need a changed password is at Mashable.

Here are some big sites that were affected and need a password change: Note that these sites and others in a list at the Mashable link cited above are said to have already patched the Heartbleed bug. 

  • Yahoo
  • Yahoo Mail
  • Facebook
  • Google
  • Gmail
  • Instagram
  • GoDaddy
  • Pinterest

Here are some major sites that are said to not require a password change:

  • Microsoft
  • eBay
  • Amazon
  • Paypal
  • Hotmail/Outlook
  • AOL

Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.

This tips section is maintained by Vic Laurie. Vic runs several websites with Windows how-to's, guides, and tutorials, including a site for learning about Windows and the Internet and another with Windows 7 tips.

Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.

Please rate this article: 

Your rating: None
4.27586
Average: 4.3 (29 votes)

Comments

First news of successful exploits now surfacing together with details about how the exploit itself is being exploited by phishing scams. http://www.bbc.com/news/technology-27028101 Remains to be seen but IMO although the bug has existed for a long time, I think the majority of those exploiting it only began their operations after the announcement. MC - Site Manager.

Intended for Vic L, but any other expertise welcome. Think I had some security attack last week, or something managed to amend some settings, I logged on one day, was told that a file could not be found, and therefore not loaded. File named as zkbuygp.dat, doesn't get any mentions in a Google search, a bit odd as most system files have plenty info online. Being suspicious, I tried a scan with Anti-Malwarebytes (free version) it would NOT run due to 'blocked by group policy'; neither would M'soft Security Essential (same reason). I tried the Malwarebytes 'chameleon', also not working. I downloaded a new version of Malwarebytes, stored in a different folder, seemed to run ok, chameleon too. M'soft Sec Essentials DOES run a scan if PC in Safe mode - and when I checked it said it had blocked online threats when PC was NOT in safe mode, so seems (?) to be working behind the scenes still.

BUT today, I was on a website, a little box appeared, saying Malwarebytes had just blocked a threat, sounds good, BUT I thought that product doesn't work in real time, just does scans? (I should add that the version I've newly downloaded seems to say it's a trial, presumably a 14 day one, as opposed to the perm free one I had before). As I only recently ventured into online banking (had done things by phone for years) this is rather worrying - I haven't used any bank website since the odd event with the mystery file and the 'group policy' stuff.

The only info I can find re 'Group Policy' seems to imply that products good or bad might change registry settings, but I'm not informed or capable enough to change them back! ANY CLUES PLEASE? Thx TH (I have a desktop PC, Windows Home 7, IE9)

Tony, there are people here who will be glad to help you. We have a forum for just that purpose. Go to http://www.techsupportalert.com/freeware-forum/general-computer-support/, log in and describe your problem there. Also, check your bank account right away by phone to make sure nothing is going on there. These articles can help you: http://www.techsupportalert.com/content/how-know-if-your-computer-infect... and http://www.techsupportalert.com/content/how-clean-infected-computer.htm Don't use your computer for banking or other sensitive business until you have made sure it is secure. You are right to be concerned about getting messages about the Group Policy Editor.

Although you might have done so elsewhere, it might be helpful for people new to the Heartbleed bug to understand that it affects earlier versions of OpenSSL and they need only be concerned about secure web sites (https) that use OpenSSL, IOW if a site uses some other type of encryption then it is not going to be vulnerable...at least not this time.

Yes, it would be good if everybody had some idea what OpenSSL was and what the bug entails but I wonder if it might not be rather too technical for many people. In any event, I hoped that the FAQ http://heartbleed.com/ given in the previous tip http://www.techsupportalert.com/content/how-check-if-website-has-been-af... might be helpful to those wishing to know more about the problem. If you would like to write an article about what you think people should know, we always welcome new material.

I agree that too much info on this subject is likely to be too technical for some, including me. That is why I only mentioned those two points, i.e., that heartbleed only affects sites that begin with https, and use OpenSSL. I have found sites not listed in Mashable or other sites working on this issue that test as possibly vulnerable, including some banking sites overseas. And since this is an issue with constant changes (at least until all OpenSSL sites are fixed), some people might want to change passwords even if the site is vulnerable and change it again when the site is fixed. If I encountered a banking site that is not fixed, I would probably either move my money to a bank whose site is fixed until it gets fixed, or I would change my password before each use until I was sure that the site is fixed, plus checking that site more frequently than other banking sites that are not vulnerable, and if money was missing I would be able to report it quickly.

What to do about sites that have not yet been patched is a dilemma. I do not personally see a clear-cut solution or easy answers. I think your suggestions are as good as any but it's a personal choice.

Vic,
This all just got more complicated, since Akamai just announced that the patch it supplied for OpenSSL turns out not to be a complete patch, and the OpenSSL fix is only a partial fix. See the article at
http://www.cnet.com/news/akamai-heartbleed-patch-not-a-fix-after-all/?ta...

-------------------------
In other words, there is a bug in the patch for the Heartbleed bug, and there will probably be another bugfix coming, but when, we don’t know, and I have no idea how it will affect the scanning tools, like filipo.
Whether changing passwords now will help, will probably depend on the approach that is taken to exploit the bug. If the bad guys are working from a database, then maybe changing passwords now is a temporary workaround, because they will not be able to log in with the old password, But, if the bad guys are rescanning the server data each time before launching an attack, then any target would be vulnerable at any given time, I believe. I am not into cracking, so I cannot say for sure.

Thank you for letting me

From bitter experience and actual financial loss, at the first sign of trouble change the password.

Surely with the way the bug works that it actually makes sense to hold off changing until the affected sites confirm they've fixed the bug?

If you change now you run the risk of being caught out by the bug... It's a catch22 situation really.

Yes I saw that - but I think you missed my point entirely. Your article advocates updating passwords at infected sites - I'm saying that's a catch22 if they are affected by the bug because there's a chance you'd have your password stolen due to the bug. Not only would you then have to change it again when they do fix the bug you may also have lost your access.

I did not miss your point. The problem with unpatched sites is discussed in references given in my first reply above. Also, if you read the referenced Mashable article that is the basis for the present article, you would see that the sites that are listed as needing a password change are sites that have patches for the bug already in place.

I thought you wanted to end this thread and no doubt will delete this before it gets seen.

However - the issue was that you sidestepped what I said, then added to your original article with the comment rather than either agreeing with me or completely disagreeing (I'm a big boy, I can handle someone not agreeing).

I suspect it was a case of you rushing your answer rather than just (dis)/agreeing that this is the case and then pointing out the link, etc ...

Still - I guess this will get deleted as you have been rather heavy handed with moderation. And I thought gizmo's was all about discussion ... I'm sure Ian wouldn't have shut this conversation down....

True discussion is always welcome. Incorrect statements, however, are a different issue. My way of responding to your original point about unpatched sites was to provide information by means of some references. To my way of thinking, that answered your comment. However, if you feel an explicit acknowledgement of your point is necessary, I am happy to say that you had a valid point about those sites that are still unfixed. However, the article's focus was specifically about changing passwords for sites that had patched the problem, as a reading of the Mashable article that was cited would have made clear. You responded with the unfair statement, "Your article advocates updating passwords at infected sites". This is simply not true.

Thank you. I'll accept your POV about the response but for my part I saw it as side-stepping or declining to answer the point asked.

As to unfair. I don't think so. I'll simply refer you to the opening sentence of your article. Let's face it, many folks simply scan articles and will rarely get past fully reading the first sentence - which is why they are always considered so important.

I am sorry but there has been a misunderstanding. I have not "advocated" changing passwords at infected sites. Let that be plain. With that made clear, let us call an end to this thread.