There have been numerous articles going around in regards to the new Heartbleed threat. What this refers to is a problem with the technology used to make secure connections with websites. Typically you would see a tiny padlock icon in your browser next to the “https://” indicating that a website is “secure.” It turns out that this may not be in fact the case. As far back as March of 2012, this vulnerability (referred to as Heartbleed) would allow hackers to potentially gain access to any data that was transmitted to an affected website. Unfortunately, this list is fairly vast and almost everyone may have used or know of someone who has used these websites. Until this vulnerability is fixed with those websites, it still may be unsafe to send personal information to them.

So what do you do? Normally, the best approach when security is potentially compromised is to change your password. However, in this case, changing your password immediately may not be the best course of action. Until a website has corrected the vulnerability, changing your password would only serve to potentially give attackers your new password. We suggest that you wait until the affected website has corrected the problem before attempting to change your password. Typically a website will notify you (via e-mail if you have an account with them) that its corrections have been made. Another good practice would be to ensure your accounts across various websites do not share passwords. Keep this in mind when changing passwords, because it is common practice for hackers to attempt to use your credentials at multiple websites (expecting you to use the same password). This would also mean that even if a website you frequent was not affected, you would still need to change its password if you shared it with a website that was.

There are two resources you can use to help see if there is any action you should take, and to help check websites going forward. The first is This List updated by GitHub on 4/9/2014, which is a historical list of what websites have been affected up until this point. If you find a website you have shared secure information with on this list, you should consider changing your password when it is safe to do so. The second is a realtime tool which can verify if a website is CURRENTLY vulnerable to Heartbleed: http://filippo.io/Heartbleed/ . You can use this link to check if a website is “safe” and if it would be ok to change your password with it.

On a final note: Beware of e-mails asking you to change your password! There are a number of scams already started which send fake e-mails with embedded links to change your passwords for Heartbleed. DO NOT BE FOOLED! Links in e-mails are highly suspect, especially when the sender could be faked. Best practice is to manually visit a website (by typing it in your browser) in order to reset a password. Following e-mail links should be highly discouraged.