As we learn more and more about Heartbleed, the security bug that exposed tens of millions of servers worldwide, one thing is becoming clear: Our data is never really safe.
The bug, which was only discovered earlier this week, dates back two years, and there's no way of knowing how long attackers may have been exploiting the data breach. It targets OpenSSL, the encryption software that two out of three servers use, and allows hackers to repeatedly pull 64k of data from a server's working memory.
"It's a bit like fishing — attackers don't know what usable data will be in the haul — but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed," reports the Verge.
Since the discovery of Heartbleed, companies have been going into overload to patch up their servers. Some may have to reset their certificates, which is a slow and expensive process, but they may remain compromised if they don't.
What can you do? Now, this is the hard part: There's not much you can do until these servers are patched up. The Guardian reports that while your first instinct may be to change all your passwords, you should wait until the breach is closed; otherwise, you would be exposing your new password as well.
Which sites need new passwords? Many sites have already announced that their servers are patched up and running. They include Facebook, Tumblr, Google, Yahoo, Dropbox, OKCupid, Gmail, Yahoo Mail, Intuit/TurboTax, LastPass and SoundCloud. It should be safe to go ahead and change your password at these sites.
For others, it may be safer to wait for now.
How do you know when to change your passwords? Before you panic, here are a few ways you can find out whether or not you need to change passwords for a certain site.
1) Wait for the go-ahead: Most services will send you a notification to either alert you to their breach or to let you know that their servers have already been patched. In the latter case, you should go ahead and change passwords.
2) Check with this site built by developer Filippo Valsorda: You can enter the URL of a site and see if its server is patched up.
3) If you use Chrome as your browser, download this extension: It will let you know if the site you are browsing is affected by Heartbleed. It's an adaptation of Valsorda's site.
4) If you use the password management service LastPass, you can use its Security Check scan to see which of your saved sites are vulnerable and which passwords you need to change immediately.
Image Credit: LastPass
LastPass also has its own tool to check whether other sites are vulnerable to Heartbleed.