As of the evening of 08 April 2014, vulnerable websites included Yahoo, Flickr, Tumblr and many other top sites. Here’s a list of of sites that were still vulnerable yesterday, but note that just because a site was not vulnerable this week, does not mean information was not compromised. This vulnerability has existed for around two years and exploitation leaves no trace – making it possible that websites have been leaking sensitive data for moths or years without raising any red flags. [A]

Techlicious states that it is “not clear, and probably never will be, which sites were actually subject to malicious activities and what data was stolen. Nor is easy for the average Internet user to determine which sites were even vulnerable in the first place. This puts us in the unfortunate position of recommending that you change all of your passwords for every website, but that you only do it for a given site once it’s gotten a security upgrade to prevent future snooping. Sounds like a massive, complicated undertaking? It is. But that is a reflection of how serious this threat is.” [C]

By exploiting this vulnerability “attackers could decrypt traffic to and from the server; impersonate the server so that users who think theyâ€re visiting a given website are actually visiting a fraudulent site disguised as the correct one; or decrypt the serverâ€s databases, including their users†personal information, such as usernames, passwords, email addresses, payment information and more.” [A]

You may not want to change your passwords just yet. “If a website hasnâ€t [fixed the problem] then a new password would be just as compromised as an old one.” [A] The New York Times “ Bits” blog echoes this recommendation, “Changing a password on a site that hasnâ€t been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue.” [B]

It has been suggested by some authors that Internet users take a few days away from the net while server administrators patch the issues, but ICSI security researcher Nicholas Weaver says that approach may not be sufficient. In the case of a compromise server, it likely their private keys were compromised as well. This would allow attackers continued access even after the patch is applied unless security certificates are revoked and reissued. The Verge reports that “Servers can reset their certificates, but it’s slow and expensive, and experts suspect many of them may simply assume the patch is enough. “I bet that there will be a lot of vulnerable servers a year from now,” Weaver says. “This won’t get fixed.” ” [D]

While the scope of this issue is currently unknown, Yahoo Tech recommends that “because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised. ” [A]

Even if you do not care if your Flickr or Tumblr account data is compromised, be aware that that data from one site can be used to access other sites. For instance, if you use the same passwords on multiple accounts, one compromised account can allow an attacker to access sites you do care about (i.e. banking and email). If an attacker gains access to your email account, it is often possible to reset all of your passwords (including financial institutions). The attacker would then have full access to all your important accounts and personal information. Since it is unknown which sites were subject to a data breech, reseting all passwords is the only safe solution.

We would love to hear your feedback on any of our articles. Let us know if you have an issue or topic that you would like us to write about. We will try to cover the topic or point you to someone who has already done so. Thank you for taking the time to read our blog. We look forward to hearing from you.