April 11, 2014 9:26 pm

Heartbleed bug: What’s affected and what passwords you need to change

WATCH: As we learn more about the Heartbleed bug’s impact on online security, experts say it’s time to change your passwords – all of them. Mike Drolet reports.

TORONTO – An encryption flaw now known as the Heartbleed bug has made a major impact on online security. The flaw has affected many online services and websites that Canadians access every day.

Story continues below

LIVE BLOG: Experts answer Heartbleed bug questions Tuesday at 12 p.m. ET

Security experts have gone as far to call it one of the biggest security threats the Internet has ever faced.

The flaw affects OpenSSL – a widely used open-source set of libraries for encrypting online services.

READ MORE: Heartbleed may lead to more security audits, advanced security services

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed, leaving users’ information vulnerable.

For now, the best  you can do to protect yourself is change the password to any accounts associated with websites affected by the bug once the website confirms it’s deployed a fix.

Global News has created a list of some of the most popular services to let you know what’s affected and what passwords you need to change:

ONLINE BANKING

Were Canadian banks affected? No.
Do you need to change your password? No – but this is a good reminder that your Internet banking password should be very secure.

“The online banking applications of Canadian banks have not been affected by the Heartbleed bug,” the Canadian Bankers Association said in statement issued Wednesday afternoon. “Canadians can continue to bank [online] with confidence.”

CANADA REVENUE AGENCY

Was it affected? Yes
Do you need to change your password? Yes

As of Friday the CRA’s online services were still offline due to the security concern. But according to a statement issued Friday, the websites will be back online by the weekend. Those with accounts should update their passwords once the site comes back online to be safe.

SOCIAL MEDIA

Facebook

Was it affected? Unclear
Do you need to change your password? Yes

“We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to [...] set up a unique password,” Facebook said in a statement.

LinkedIn

Was it affected? No
Do you need to change your password? No

Instagram

Was it affected? Yes
Do you need to change your password? Yes

“Our security teams worked quickly on a fix and we have no evidence of any accounts being harmed,” the company said.

Twitter

Was it affected? No
Do you need to change your password? No

“We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation,” Twitter said on its website Wednesday.

Tumblr

Was it affected? Yes
Do you need to change your password? Yes

“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. This might be a good day to call in sick and take some time to change your passwords everywhere,” Tumblr said in a statement on Tuesday.

Pinterest

Was it affected? Yes
Do you need to change your password? Yes

TECH COMPANIES

Google

Was it affected? Yes
Do you need to change your password? Probably.

According to a statement from Google, the company proactively looks for vulnerabilities in order to fix them before they are exploited and therefore fixed this bug “early.” Google said users do not need to change their passwords because of this – but better safe than sorry in this case.

“We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.  Google Chrome and Chrome OS are not affected,” a post on Google’s security blog published Wednesday said.

Microsoft

Was it affected? No
Do you need to change your password? No

Apple

Was it affected? No
Do you need to change your password? No

Yahoo

Was it affected? Yes
Do you need to change your password? Yes

“Our team has fixed the Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now,” the company tweeted Tuesday.

Yahoo is also the email provider for Rogers customers.

According to a statement issued to Global News, “Rogers. com doesn’t use the impacted versions of the SSL software, so was not impacted by the bug.” But a spokesperson added that the company recommends customers update their passwords frequently as best practice.

ONLINE SHOPPING

Amazon

Was it affected? No*
Do you need to change your password? No

*Amazon said with the exception of some services – Elastic Load Balancing, Amazon EC2, Amazon CloudFront, AWS OpsWorks and AWS Elastic Beanstalk – its services were unaffected. If you use these, you should probably change your password.

eBay

Was it affected? No
Do you need to change your password? No

Etsy

Was it affected? Yes
Do you need to change your password? Yes

“As of right now, we have no indication that an attack has been conducted against Etsy beyond testing the vulnerability, but this type of issue makes it very difficult to detect, so we’re proceeding with a high degree of caution,” read a security update on Etsy’s website Tuesday.

Paypal

Was it affected? No
Do you need to change your password? No

OTHER ONLINE SERVICES

Dropbox

Was it affected? Yes
Do you need to change your password? Yes

“We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe,” the company tweeted Tuesday.

OKCupid

Was it affected? Yes
Do you need to change your password? Yes

Evernote

Was it affected? No
Do you need to change your password? No

“Evernote does not use, and has not used, OpenSSL, so we were not vulnerable to this bug. As an Evernote user, you don’t need to take any action,” read the company’s blog.

© Shaw Media, 2014

Report an error

Comments