14 DAY TRIAL // The Heartbleed vulnerability has been around for two years and it’s uncertain if any cybercriminal groups have been exploiting it during this period. However, now that the news is out, it’s more likely that at least a few malicious actors have tried out their luck in harvesting sensitive information.
That’s why companies have started advising their customers to change their passwords, just in case they’ve been stolen by cybercriminals.
Heatbleed is a vulnerability in OpenSSL that can be exploited by an attacker to send maliciously crafted “heartbeat” requests to obtain information from the targeted server. The leaked information can include encryption keys, usernames, passwords, the contents of communications and even financial information, depending on what the site is used for.
It’s possible that since the existence of the Heartbleed bug came to light, cybercriminals have tried their luck in harvesting some data. Since it took many companies several hours to patch their OpenSSL installations, cybercrooks had plenty of time, even if they were not aware of the vulnerability before this week.
Ars Technica was among the first organizations to ask users to change their passwords. The news website says there have been some reports of compromised accounts through the exploitation of the OpenSSL vulnerability.
Tumblr is also warning users to change their passwords.
“This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” the company noted in its advisory.
Yahoo hasn’t advised its users to do the same, but it should, especially since it took the company a lot of time to make sure its systems were secure.
In the meantime, security companies have started publishing technical details for the Heartbleed bug. Trend Micro has published “The Analysis of the Heartbleed OpenSSL Vulnerability,” while Sophos has posted the “Anatomy of a data leakage bug.”
Government agencies have also started warning users and organizations of the risks. Stay Smart Online, an initiative of the Australian government, has published a high-priority alert earlier today.
“Affected websites may begin notifying users to change passwords if they consider it important, but unfortunately, there is no guarantee websites will do this,” SSO highlighted in its report.
In the meantime, a list of the vulnerable top 10,000 Alexa websites has been published on GitHub. On April 8 at 16:00 UTC, there were over 600 vulnerable sites. In the meantime, many of them have resolved the issue.