There is a security vulnerability that was recently discovered, colloquially called "Heartbleed". While you may or may not work with computers, you're going to get lots of emails over the next week or two, from service providers you use (Facebook, Twilio, blogs you have a login to, etc), telling you that they've patched the vulnerability. Every email I've gotten so far specifically says "we have no evidence to suggest that user accounts were compromised."

This is 100% patently a line of grade-A bullshit. The very nature of the vulnerability in Heartbleed means it *cannot* be detected. While what they're saying isn't exactly a lie - they do not, in fact, have evidence that user accounts were compromised - it's egregiously misleading and incredibly unethical to make this statement and passively suggest that user's might not have been affected. No one knows who has been affected, but to say there is no evidence misleads users into thinking there *would* be evidence if they were affected.

As @nicklockwood on twitter said, "we found a bug that allows our servers to be hacked without leaving evidence, but there is no evidence that this has happened."

Changing your passwords is important, but only do so once your service providers have stated that they've fixed it, otherwise your new password is just as vulnerable as your previous one.
You can use http://filippo.io/Heartbleed/ to check, but you don't know the inner workings of their application, so it's still no guarantee. They may use URLs and systems within their infrastructure that are hidden from you, so you can't test them.

Once they tell you it's patched, change your password. If they haven't said anything, ASK THEM. If they don't answer you and don't have a formal statement, DITCH THEM. This is very serious, and you need to at least know that they have a game plan, if they haven't already fixed it.

Without getting too technical, this is different than security issues we've seen (like with Target). This issue doesn't affect data at rest (stored in a database), but rather data stored in memory over SSL.

If you shop online, do not do business with companies that have not confirmed that they have patched this bug, until they say they have.

But most of all, do not believe their PR bullshit. Bugs happen. It sucks, but it's part of software. I find it offensive and unethical that rather than just addressing the issue, they would suggest that users have nothing to worry about because it makes them look better.

Reply · Report Post