Skip to main content

General public advised to change all passwords in the face of “grave” security flaw

Technology companies are rushing to tell customers to change all passwords after a major bug affecting OpenSSL was revealed earlier on this week.

The Heartbleed Bug is a flaw in the cryptography library that has existed for over two years and can be used to easily expose secret keys that are at the heart of one the Internet’s most-widely used security protocols.

Yahoo is one firm that has reportedly been affected and it told the general public via Tumblr “this might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.”

"Our team has successfully made the appropriate corrections across the main Yahoo properties - Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr - and we are working to implement the fix across the rest of our sites right now," a spokesperson for the company told the BBC.

Related: An in-depth look at the Heartbleed bug: What you can do to protect yourself (and your servers)

OpenSSL’s vulnerability was revealed earlier this week by Google Security and Codenomicon, a Finnish security firm, and lets attackers copy keys that enable them to pilfer the names and passwords of people using various services. This in turn can allow fake sites to be set up using the data that appear to be the real deal.

The flaw has been given its name as it caused the “leak of memory contents” between servers and clients with security researchers adding that it doesn’t leave a trail and the only way to find out if it’s been used is if hackers boast about it online.

The BBC reports that Google told a select group of organisations before making the issue public, in order that companies could update equipment to a new version of OpenSSL that was recently released.

NCC Group, a cybersecurity firm that advises various FTSE 250 firms, told the BBC that the situation was “grave” due to the low level of knowledge needed to exploit the vulnerability.

"The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago," said NCC Group associate director Ollie Whitehouse. "As long as service providers have patched their software it would now be a prudent step for the public to update their passwords."

Organisations that used Microsoft’s Internet Information Services web server software would not have been affected and the users are reminded that refreshing passwords is a sure way to prevent being affected by the flaw.