Blog

The Heartbleed Bug in Simple Terms

Reading Time: 9 mins

Before I bother reading about this ‘bug’, tell me, am I affected?

According to CNN Money,

“If you see a padlock image in the address bar [on a website], there’s a good chance that site is using the encryption software that was impacted by the Heartbleed bug.”

In short, if you’ve used websites that are secured by OpenSSL software (you can usually identify them by the extra ‘s’ on the end of http) – sites like Yahoo Mail, Gmail, Facebook, Twitter – you’ve been affected and you’re going to want to change your passwords.

However, unless the websites/companies that use the OpenSSL protocol have updated their servers to account for the Heartbleed bug, changing your passwords isn’t going to make your information more secure than it was before.

How do I find out which websites have ‘patched’ (aka: fixed) the error so I can change my password?

  • Take a look at our list below
  • Take a look at Mashable’s own list (bear in mind it’s US-centric) which is what we based our own off of
  • Use this website to find out if a site has been affected
  • Check the website’s news section or blog to see what they have to say about themselves and Heartbleed

Once the sites have updated their servers, change your password. If you want to create a super secure password, take a look at the latest guidance on doing so from Business Insider. Google and Microsoft have some sage advice as well.

Tell me more – what is the Heartbleed bug and how does it work?

Basically, it’s a ‘bug’ (AKA: error) in the OpenSSL code that websites/companies use to prevent hackers from accessing sensitive information. Any website that uses OpenSSL software to secure their site is at risk. And, if you’ve submitted private information to these sites, you’re at risk too.

If you’re used to browsing the internet, thinking that any website that includes HTTPS in the URL is secure, well we’re sorry to say that hasn’t actually been the case for 2 years. Anyone with knowledge of the vulnerability would have been able to exploit it in order to access your personal information.

To do this, a hacker would use a tool that allows his computer to check whether another computer is online. This is called a ‘heartbeat request’. If the computer is online, the hacker’s request is answered and the computer returns only the requested data. However, if the hacker knows about the flaw in the system, he can submit an open-ended request for information, allowing him access to the data surrounding that one piece of requested information. This surrounding information may be secret and could even include keys to the website’s encryption code. Once a hacker has the encryption code, you can say goodbye to your security.

But won’t I know if my information has been compromised?

This is where it gets worse.

No, you won’t. The Heartbleed bug leaves no traces, meaning you’ll have no idea if or when you’ve been hacked. It may yet be weeks until the entire web is once again secure. And, as we said earlier, while some sites have implemented patches/fixed the problem, others are still in the process of doing so.

Websites affected by the Heartbleed bug

Below you will find a list of those websites affected by the Heartbleed bug.

For a more comprehensive list on which sites have updated their servers and what the companies in question say about whether or not they’ve been affected, have a look at the original Mashable article.

Because we cater to a primarily UK audience, we have left off US-only institutions, including US banks (none of which seemed to be affected by Heartbleed). We’ve also left off a few US-only ecommerce stores. If you’d like us to include additional information on sites affected, get in touch or leave a comment below.

Social Networks

social networks

Other Companies

other companies

Email

email

Stores and Commerce

stores and commerce

Videos, Photos, Games and Entertainment

videos photos and games

Other

other

Password Managers

password managers

What’s with the name and the logo?

heartbleedThe Heartbleed bug was named by Codenomicon, a private company situated in Finland. The logo – a bleeding red heart – was created by the same company in order to raise awareness of the issue. You can find out more about the logo and the bug on their dedicated Heartbleed website.