Reddit is recommending users to change their password on the site due to the Heartbleed bug.
If you feel like this is coming a bit late, that’s because it does. The formal announcement on Heartbleed came a week ago and ever since then, sites have patched up the issue for the most part.
“As you may have heard, reddit quickly patched its SSL endpoints against server attack of the infamous heartbleed vulnerability. However, the heartbleed vulnerability has been around for quite some time, and up until it was publicly disclosed reddit's SSL endpoints were vulnerable,” the announcement reads.
Furthermore, reddit’s application was discovered to have a client-side vulnerability for the OpenSSL bug which allowed memory to be leaked to external servers. The issue was addressed quickly. Even so, the vulnerability was there.
Given everything that’s happened, Reddit feels like all users should change their passwords as a precaution. Updating the password will log everyone out of their accounts, so you’ll have to use the new one to get back on the boards.
Since many have already taken the precaution of changing their password on Reddit, the company has also addressed their problem. Reddit patched up Heartbleed hours after the official announcement on April 7, but the second vulnerability was only discovered on April 9. That being said, if you’re a Reddit user and changed your password after last Wednesday, you should be ok. Otherwise, it’s advisable that you go through the process again.
Heartbleed was revealed last week as a vulnerability in OpenSSL that could have exposed huge amounts of private data over the past two years. Any attacks exploiting this bug leave no tracks behind on the affected servers, which means that there’s no way of telling if anyone knew about it prior to the announcement, or whether it was discovered a while back and no one was informed of it.
Either way, about two thirds of the secured websites in the world used affected versions of OpenSSL, including Google, Yahoo and Facebook.