NEW YORK – A programming mistake from two years ago has forced countless websites to make fixes to protect the sensitive personal information of consumers.
What consumers should do to protect their own information isn’t quite as clear, because security experts have offered conflicting advice. Should users change their web passwords immediately or wait until sites have fixed the problem?
Changing a password before a site has dealt with the coding flaw, called Heartbleed, means the new password could be vulnerable, and the user will have to pick another password when it is fixed. But changing a password is a minor inconvenience compared to getting personal information like credit card numbers stolen.
“It certainly can’t hurt to change your password now and then again next week,” said Brian Krebs, a security researcher. “That’s not the biggest hardship in the world. It’s a very simple thing to do and gives you a little peace of mind.”
The extent of the problem was still unclear on Wednesday. The researchers who discovered the flaw – a simple error in a Web security measure called OpenSSL – said Monday that up to two-thirds of websites could be affected. Other security experts said the number of sites could stretch into the hundreds of thousands.
But some Internet, banking and retail companies said they were never vulnerable because they didn’t use that type of security software or said they had already repaired the bad code.
Google, Facebook and Yahoo confirmed they had been affected by the OpenSSL flaw and had applied fixes to their systems. Security experts said Yahoo users, in particular, should change their passwords, because that company had not completely patched its software until after the flaw became public. On Tuesday afternoon, while looking for vulnerabilities, researchers reported that they had been able to capture user names and passwords from Yahoo.
Many of the country’s largest retailers, like Amazon, Walgreens, Nordstrom and Target – which suffered an enormous data breach of its own late last year – said they were not affected. Nordstrom said it would post a statement on its website making clear that it had not been affected, along with tips about keeping information safe online.
Among major financial institutions, the impact also did not appear to be significant. A representative of JPMorgan Chase said it did not use the software that was affected by the Heartbleed flaw and it had determined that its users’ login information was not compromised.
Citigroup said in an email that its initial assessment was that its banking and credit card websites were not affected, but that it was “taking appropriate steps” to safeguard them. It also encouraged users to change passwords frequently and not to use the same passwords on many sites. The Bank of America said the issue was industrywide and did not respond further.
Security experts said consumers should change their passwords at any site that holds sensitive data, especially because most people tend to use the same passwords on many sites. Even if Chase’s websites didn’t reveal your login information, a hacker might obtain it from another affected site.
And the Heartbleed flaw is subtle. While there is no evidence it has been used to steal personal information, if hackers had done so, it would be almost impossible to tell. By Tuesday evening, simple tools to take advantage of the vulnerability were being shared on hacker forums, Krebs said.
If a site has not yet fixed the problem, it is leaving customer information exposed. Also, no one knows how long malicious hackers could have known about the exploit before security researchers discovered it.
Bruce Schneier, a cryptographer and security consultant who discovered the OpenSSL flaw on his own site, warned against taking the problem lightly. “I’ve been saying that on a scale of one to 10, this is an 11,” he said.
Still, changing your passwords before sites were patched could simply lead to re-exposure, he said. That is why it is important to find out if a site has fixed the problem – or has never had it – before a password is changed. Security researchers and the password management company LastPass set up various Internet tools where consumers could check specific sites to see whether they were safe.
“It has to go in sequence, because the vulnerability is at the website,” Schneier said. “Because the password was stolen at the remote site, the remote site needs to fix itself before you can fix yourself.”
Krebs said he expected that major organizations would begin contacting their customers in the coming days and that some of them would even start forcing users to change their passwords. In the meantime, he said it was not a bad idea for consumers to make the changes even if it meant doing it again a few days from now.”