Heartbleed Bug: Millions of Internet Sites Compromised

NickNitro

Extra Terrestrial
Joined
Aug 6, 2009
Messages
8,222
Reaction score
0
Points
56
I go on CGhub.com every day to check out the latest 3D artwork and to get inspiration. Today I was redirected to godaddy.com The site is a very successful 3D community site with thousands of subscribers.

With a little digging this morning it has come to my knowledge that one of my favorite sites may have been a victim of Heartbleed.

HeartbleedSIZED.png


UPDATED 9:15 AM EDT Thursday to remove Twitter from list of affected sites, and add OKCupid.

If you've been following the news for the past 24 hours, you've probably heard of the Heartbleed bug that's affecting the security of millions of websites. It's a big deal, with security experts using terms such as "catastrophic" and "devastating."

Unfortunately, there's not a lot the end user can do to fix things. Heartbleed mainly creates problems on Web and email servers. Windows PCs, Macs and mobile devices aren't directly affected, and antivirus software has no impact on Heartbleed. Systems administrators are scrambling to patch server software, but average Internet users have to wait it out.


Change your Yahoo, Flickr and Tumblr passwords.

Like millions of other websites, Yahoo and its subsidiaries Flickr and Tumblr were vulnerable to Heartbleed. Unlike many prominent sites, these did not patch their systems before the Heartbleed bug became public knowledge Monday evening (April 7).

Security researchers yesterday (April 8) used Heartbleed to capture usernames and passwords as random people logged into their Yahoo Mail accounts. If the good guys were doing that, you can bet the bad guys were too.

If you used your Yahoo username-password combination to log into other online accounts, change the passwords on those accounts as well.

Consider changing your Google, Facebook and Dropbox passwords.

Each of those services used the affected software and have confirmed they were vulnerable to the Heartbleed bug in the past two years. (Scroll down to see a list of other prominent affected sites.)

We haven't heard of anyone trying to use Heartbleed against those services, but one of the tricky things about a Heartbleed exploit is that it would leave no trace. System administrators simply wouldn't know if they'd been attacked.

http://www.tomsguide.com/us/heartbleed-bug-to-do-list,news-18588.html
 
I'm really glad SHH is still here. Seeing Cghub.com send me to godaddy.com was the worst feeling in the world this morning :(
 
This is almost entirely on the websites to fix. Users aren't going to be able to do much until the servers are patched. Most of the major ones already did it but changing your password on some of the others isn't going to help if they're still vulnerable.
 
I am really surprised Yahoo is vulnerable. It's no small site.
 
This affects roughly 66% of the entire internet. It's a tiny little flaw in the code with massive consequences. Yahoo isn't the only major site affected either. Many of the "big boys" were affected.
 
Wow, this is crazy. What about credit card sites, stores, etc?
 
My God that is absolutely insane. I can't believe there is one tiny hole that can simultaneously affect ALL of these sites at exactly the same time. I just assume every site (especially the big ones) were their own entities with their own security systems in effect.
 
It depends on who used the affected software so it's going to be at least some of those but with literally millions of sites there is no easy way to list them.
 
Some idiot trying to make a point again, I wager.
 
My God that is absolutely insane. I can't believe there is one tiny hole that can simultaneously affect ALL of these sites at exactly the same time. I just assume every site (especially the big ones) were their own entities with their own security systems in effect.
The way it works bypasses security. It's easier to point you to this article that explains it better than I can. Or this one. Also, they cover it here because Ars Technica is good at reporting and staying on top of these things.
 
Until the affected servers are patched, it's not even worth you changing your password... It's a bit scary.

EDIT
Also this article gives a pretty good run down on the problem

When the bug is corrected, look here for ideas on strong passwords
 
Last edited:
Thanks for the info guys.


The way it works bypasses security. It's easier to point you to this article that explains it better than I can. Or this one. Also, they cover it here because Ars Technica is good at reporting and staying on top of these things.

Until the affected servers are patched, it's not even worth you changing your password... It's a bit scary.

EDIT
Also this article gives a pretty good run down on the problem

When the bug is corrected, look here for ideas on strong passwords
 
So everyone needs to change all of their passwords for every site they use?
 
No because the sites are still vulnerable I guess. Each site will tell you individually I guess when you should change your password once they patch the issue.
 
Exactly. Changing your password to the strongest most complicated one possible won't do anything until the sites with the vulnerabilities have patched them.
 
I was just wondering how many passwords I'll have to change eventually.
 
Well, you should change your passwords anyway. At some point someone is probably catching you type in the same random letter/number combo like 4 times a day for a year.
 
I use lastpass.com which makes it much, much easier to use absurdly strong and convoluted passwords you could never memorize but make it harder to crack (assuming whatever site you use the password on bothers to encrypt them properly in the first place on their end). And it can auto log-in most sites for you so you won't have to look up to copy/paste or manually type in that string of letters and numbers and symbols.
 
Surely Google patched the bug. By all means change your Gmail passwords.
 
Haha, my outlook/hotmail is unaffected, mostly because no one gives a **** about Microsoft.




:csad:
 
Haven't heard about this or seen any warnings.
 
The news is naturally slow to spread. No company likes to announce they had a security breach so they do their best to pretend it never happened when they can.
 
The news is naturally slow to spread. No company likes to announce they had a security breach so they do their best to pretend it never happened when they can.

This. Especially companies like Amazon that's sole purpose is to get you to put your account information on their site to buy ****.
 

Users who are viewing this thread

Back
Top
monitoring_string = "afb8e5d7348ab9e99f73cba908f10802"