Heartbleed “Hit-List”

For those that are wondering what the hell Heartbleed is and why it’s a “thing” right now. Well, long and short of it, directly from the informational website:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

So in other words, there are a bunch of websites that you use on a regular basis that you should take a closer look at… and change your passwords accordingly. I’ll keep updating this list that I kinda (I did) stole from Mashable but I just cut to the chase of the ones that they advised you update. All killer no filler. Here’s the list!

Compromised:

Facebook: “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to … set up a unique password.”

Tumblr: “We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.”

Google: “We have assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps and App Engine were affected; Google Chrome and Chrome OS were not.
*Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.

Yahoo: “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.” Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched. More patches to come, Yahoo says.

Gmail: “We have assessed the SSL vulnerability and applied patches to key Google services.”

*Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.

Yahoo Mail: “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.”

Amazon Web Services (for website operators): “Most services were unaffected or Amazon was already able to apply mitigations (see advisory note here). Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront were patched.”

GoDaddy: “We’ve been updating GoDaddy services that use the affected OpenSSL version.” Full Statement

Intuit (TurboTax): Turbotax “has examined its systems and has secured TurboTax to protect against the “Heartbleed” bug.” Full Statement

Dropbox: On Twitter: “We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.”

LastPass: “Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.”

Minecraft: “We were forced to temporary suspend all of our services. … The exploit has been fixed. We can not guarantee that your information wasn’t compromised.” More Information

OKCupid: “We, like most of the Internet, were stunned that such a serious bug has existed for so long and was so widespread.”

SoundCloud: “We will be signing out everyone from their SoundCloud accounts … and when you sign back in, the fixes we’ve already put in place will take effect.” SoundCloud added that there were no indications of any foul play and that the company’s actions were simply precautionary.

Wunderlist: “You’ll have to simply log back into Wunderlist. We also strongly recommend that you reset your password for Wunderlist.” Full Statement

If you have any questions on particular sites, let me know and I’ll get the list updated. Oh, and for my web clients, I’ve already updated the proper servers with new passwords so you’re in the clear!

p.s. Why is there a Canadian Hockey player in the top Google Image searches for “HeartBleed”?

Liked it? Take a second to support Kenny on Patreon!

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *