14 DAY TRIAL // Reddit is recommending users to change their password on the site due to the Heartbleed bug.
If you feel like this is coming a bit late, that’s because it does. The formal announcement on Heartbleed came a week ago and ever since then, sites have patched up the issue for the most part.
“As you may have heard, reddit quickly patched its SSL endpoints against server attack of the infamous heartbleed vulnerability. However, the heartbleed vulnerability has been around for quite some time, and up until it was publicly disclosed reddit's SSL endpoints were vulnerable,” the announcement reads.
Furthermore, reddit’s application was discovered to have a client-side vulnerability for the OpenSSL bug which allowed memory to be leaked to external servers. The issue was addressed quickly. Even so, the vulnerability was there.
Given everything that’s happened, Reddit feels like all users should change their passwords as a precaution. Updating the password will log everyone out of their accounts, so you’ll have to use the new one to get back on the boards.
“It is also strongly recommended, though not required, that you set an email address on your reddit account. If you were to ever forget your password, we cannot contact you to reset it if we don't have your email address. We do not sell or otherwise make your email address available to third-parties, as indicated in our privacy policy,” the site advises.
Since many have already taken the precaution of changing their password on Reddit, the company has also addressed their problem. Reddit patched up Heartbleed hours after the official announcement on April 7, but the second vulnerability was only discovered on April 9. That being said, if you’re a Reddit user and changed your password after last Wednesday, you should be ok. Otherwise, it’s advisable that you go through the process again.
Heartbleed was revealed last week as a vulnerability in OpenSSL that could have exposed huge amounts of private data over the past two years. Any attacks exploiting this bug leave no tracks behind on the affected servers, which means that there’s no way of telling if anyone knew about it prior to the announcement, or whether it was discovered a while back and no one was informed of it.
Either way, about two thirds of the secured websites in the world used affected versions of OpenSSL, including Google, Yahoo and Facebook.