How to tell if Heartbleed could have stolen your password, and when it’s safe to change it

Step one: Stop screaming.
Step one: Stop screaming.
Image: AP Photo/Robb Cohen
We may earn a commission from links on this page.

As you’ve probably heard, the Heartbleed bug exposes websites that use a popular encryption technology to malicious attacks, and some of your passwords—and personal data—may well have been compromised. The vulnerable software, OpenSSL, is used to encrypt something like two-thirds of all sites on the web.

Who’s affected?

GitHub user Mustafa Al-Bassam performed a mass scan for vulnerable sites at 16:00 UTC (noon US eastern time) on April 8th. It features over 10,000 websites, and he found that 627 of them were vulnerable to the bug. Yahoo sites (including email and Tumblr) were vulnerable, as was the popular dating site OkCupid.

UPDATE: You can now check Al-Bassam’s more recent scan as well (made on April 10th at 11:00 UTC). Many affected sites are no longer vulnerable.

What you can do now

We recommend searching the list linked above for your email provider, bank, and so on. Keep in mind that many of the sites that were vulnerable yesterday have since fixed their security problem. Check your inbox—if a site you use has been made safe again, it may have emailed you to let you know.

If you find yourself about to log in to a page that isn’t on the GitHub list, you can use this open-source Heartbleed test to be sure it’s safe. That test attempts to interact with the site and extract a small amount of memory from it, mimicking the actions of a hacker stealing data, and alerts you if the site is vulnerable. If you use Google Chrome as your browser, you can get an extension that runs the test on command.

If you find that a site is still vulnerable, don’t enter any passwords or data that it doesn’t already have.

Why you need to hold off on changing your password

It’s tempting to freak out and change all your passwords immediately, but there’s no point in doing so before the sites you use are fixed—or else someone could just steal your new password. If one of the sites you use is vulnerable, make sure all other sites you use have unique passwords. (Many hackers will try to get into your other accounts using the one password they’ve found, because they know how lazy we are about coming up with new passwords.) At this point, it’s more prudent to wait for good news first. Once you’ve gotten the okay, take this opportunity to make your passwords extra secure. Or just give up and make them all Password1234.

Some helpful advice from The Onion Router

Tor(previously an acronym for The Onion Router), a free software program that makes your web browsing anonymous, has a further recommendation for those that value their privacy: Stay away from the internet for the next few days, suggests a post on Tor’s blog, “while things settle.”