WHAT IT IS & HOW IT WORKS
Said to be “the biggest network security vulnerability in history,” the Heartbleed bug was discovered by a team of Finnish researchers from the security firm Codenomicon along with a separate Google researcher. Prior to its discovery, it went undetected for two years.
According to Snopes, a bug in software used by millions of web servers may have exposed anyone visiting sites they hosted to spying and eavesdropping. This means that personal data is viewable and encrypted connections are not secure until this is repaired.
The bug is found in a software library known as OpenSSL, commonly utilized in servers, operating systems, and email and instant messaging systems. Typically, this software is meant to protect sensitive data during its travels through the system. This bug threatens that security by allowing hackers to trick servers running OpenSSL into exposing decryption keys stored in their memory. With these details, hackers are then able to steal sensitive information (passwords, bank info, etc.) as well as impersonate users and services.
Do you ever notice that little padlock in your address bar?
A closed padlock indicates a secure server. Heartbleed takes advantage of this symbol; it enables hackers to access your information even if the padlock is closed.
WHAT YOU CAN DO ABOUT IT
Unfortunately, there really isn’t much you can do about this bug until the servers fix the problem. DO NOT change your passwords. DO NOT log into your bank account or any other sites that have personal information you do not want shared. DO NOT buy anything online. DO NOT post anything online that you wouldn’t want anonymous third parties to see or copy.
Changing your passwords BEFORE a fix is performed is very risky, and should be avoided. Wait until the sites have resolved the issue.
As Lifehacker explains, Last Pass can also tell you which sites have been affected and when to change their passwords.
WHICH SITES HAVE BEEN AFFECTED?
To find out which sites have been affected by the Heartbleed bug, go here: http://filippo.io/Heartbleed/
Then enter the site’s web address in the provided search box. It will inform you if the site is still vulnerable or not.
If a site you use often is not affected, it is still a good idea to change your password for that site now that it’s fixed. It’s better to be safe than sorry!
If a site you use often is affected, it is best not to log into it until it’s been fixed. If it is a site that doesn’t require login credentials, then you should be okay. It is still better to be on the safe side, however.
Here is a list by Mashable of different websites and whether they were affected or not.