A massive security flaw exposed on websites could put at risk your private information, such as credit card numbers and other data. The bug is known as Heartbleed, and security experts are warning Internet users to change their passwords on sites they use — and then be prepared to change them again soon.
Researchers uncovered the vulnerability in a Web security measure known as OpenSSL. Websites that have a lock next to the URL typically indicate that the site is encrypted and that third parties will not be able to read or receive the information you send. But the Heartbleed bug potentially could break the encryption and expose users’ personal information.
Researchers believe that up to two-thirds of websites could be affected. Google, Facebook, and Yahoo! recently confirmed that they had been affected and said they were applying fixes to their systems, The New York Times reports.
Administrators to websites are upgrading their software and applying added protections from Heartbleed. Still, security experts are advising consumers to change their passwords at any site that holds their sensitive data.
But beware: “Changing your passwords before sites were patched could simply lead to re-exposure,” says Bruce Schneier, a cryptographer and security consultant who discovered the OpenSSL flaw on his own site. He urges people to find out if the sites they use have fixed the problem — or if they were ever at risk — before changing their passwords.
Companies will likely begin contacting customers soon about resetting passwords, but Brian Krebs, a security researcher, says consumers may want to be proactive in changing passwords now even if it means they may need to do it again later.