Heartbleed leaving you heartbroken? What to know and what to do

Heartbleed could be one of the worst security flaws of all time. But what exactly is it and how can you protect yourself?

The Heartbleed logo on a white background
This story was published in 2014 about a recent security event. It was upated in January 2024 to correct out of date information and broken links.

Although you don't need to worry about Heartbleed anymore, the advice given is still good practice for securing your accounts.

Over the past week, information published by Open SSL Advisory alerted the world to a major internet security bug in Open SSL, the encryption method that most sites on the internet use, named Heartbled.

Although it's true that a new security problem seems to crop up every week, this time though, the problem is very serious, with security expert Bruce Schneier describing it as "catastrophic."

The reason you need to worry is that this bug in OpenSSL, used in some of your most popular sites like Google, Yahoo, and Facebook, may have been exposing all your password, personal and chat information — basically anything that may have been encrypted (scrambling the data so no one unauthorised can view the information).

However, users are being told not to change their passwords just yet. This is because if you change your password before the site has corrected the problem, then your new password is exposed too.

So what do you do now that you know your passwords are being exposed, but you can't change them? You protect yourself the best you can and there are a couple of ways you can do this.

Two Factor Authentication (2FA)

Many sites that store your personal information now offer Two-factor authentication, a way to verify your identity with something you have in your possesstion.

Usually, this means logging in with a username and password, and then entering a one-time code from a text/SMS message sent to your phone or from an authenticator app like Google Authenticator or Authy.

As a good example of why this is necessary, when Adobe was hacked I had reused my email password there, so I had the same login info for both sites. I rushed to change the Microsoft password and deleted my Adobe account as I rarely used it.

I enabled 2FA on my Hotmail a few weeks later and found that there had been over 150 unauthorised attempts to access my account with my old password from all over the world, including Vietnam, China, Australia, Russia, and the US.

If I hadn't been able to react immediately to the Adobe hack, 2FA would have protected my account, as even with the password the people trying to access my account would never have got in.

Password managers

When you log into a website, most browsers prompt you if you want to save the password. Your browser can store it, but what if you want to use the login on your phone, tablet, or console?

The solution is to use one of the most secure password managers, like LastPass or Proton Pass. These services store all of your passwords behind a master password, which unlocks the vault on your device.

The company doesn't know your master password, so you're the only one that can decrypt the data, preventing others from snopping on your confidental information. And most password managers have apps for your browser, laptop, and smartphone.

In response to Heartbleed, LastPass can even check your stored sites to see whether they've corrected the issue and if it's safe for you to change your password. And the Security Check feature helps you pick a strong login too.

Getting to the heart of the problem

Although security flaws like this are actually quite common, few have been on this scale. It's frightening, but you can protect yourself by securing your accounts and changing your passwords once your favourite sites have patched the bug.

However, as more of our confidential information is stored online, it's important to protect your accounts from intruders. If you have any questions about how to get started, you can message me on Threads/Instagram at @jimjam.froo.