‘Heartbleed’ Bug: Websites Claim Your Password Is Safe, But Is it?
Published at | Updated at
iStock/Thinkstock(NEW YORK) — The “Heartbleed” bug has prompted security experts to warn that information on approximately half a million websites may be vulnerable to hacking, but most companies are still standing by their statements that customer information is safe, including retailer Target, which was the subject of a massive data hack reported last November.
The contradictory tone of alarm and re-assurance has led to a patchwork of advice from online retailers and other companies with a major Web presence.
Department store Neiman Marcus, the subject of another recent security breach, did not immediately respond to ABC News’ request for comment.
Adam Levin, co-founder and chairman of IDentity Theft 911, said passwords do have to be changed, but if you do so, the timing counts.
“First, find out site by site what they’re doing to get the site protected — you can do this by seeing if they’ve issued a public statement or contact them directly. Once the problem is solved, then change your password — make each new password unique and hard to crack,” Levin said. “With any type of exposure, be extra careful of cyber thieves that look to harp on news to take advantage of consumers. Be cautious of shared links and news about the bug.”
Here’s what Target and other sites are saying about how they fixed potential vulnerabilities in their system:
Target
Molly Snyder, a spokeswoman for Target, said the company launched a “comprehensive review of all external facing aspects of Target.com” on Tuesday. “Based on our findings, we do not currently believe that any external-facing aspects of our sites are impacted by the OpenSSL vulnerability,” Snyder reiterated Thursday. OpenSSL is a protocol that is supposed to keep Web communication secure.
eBay
Ryan Moore, a spokesman for eBay, said, “eBay is aware of the security vulnerability identified in a version of OpenSSL, also known as the Heartbleed Bug. The vast majority of our services were not impacted and our users can continue to shop securely on our marketplace. Consumer safety is our top priority, and we will continue to monitor this bug to ensure our users remain protected.”
Facebook
A Facebook spokesperson said on Wednesday that the company “added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed, and we’re continuing to monitor the situation closely…We haven’t detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites.”
Amazon
Ty Rogers, a spokesman for Amazon, said in an emailed statement that the company’s website “is not affected” by the Heartbleed bug.
Google
A Google spokesperson said in an emailed statement, “The security of our users’ information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited. We have assessed the SSL vulnerability and applied patches to key Google services.” A Google spokesman confirmed Thursday the company statement, which contradicts advice from Mashable. “The security of our users’ information is a top priority. We fixed this bug early and Google users do not need to change their passwords,” the Google spokesman said. Google also posted a blog on Wednesday detailing the fix for the bug and pointing out that Android users are not vulnerable. In general, Google advises users to pick strong passwords that are different for each of your important accounts and it is good practice to update your passwords regularly. The firm also recommends turning on two-step verification, which provides a stronger layer of sign-in security. Even if your password gets stolen, it’s not enough to access your account, the company said.
Yahoo
In a statement, Yahoo said, “A vulnerability, called Heartbleed, was recently identified impacting many platforms that use OpenSSL, including ours.” The company said it has “successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.”
Intuit
A spokeswoman for Intuit, which owns the popular tax preparation program TurboTax, said the company is “not proactively recommending” that customers update their online passwords but “it is always good practice to regularly update” them.
Tumblr
Tumblr issued a warning, saying the blog site has “no evidence of any breach and, like most networks, our team took immediate action to fix the issue,” but users should change all their passwords.
Copyright 2014 ABC News Radio