Living with credit, Protecting yourself, Research, regulation, industry reports

Why Heartbleed isn’t something to brush off

Sienna Kossman

When a topic is covered over and over, it’s easy to become numb to the news and its effects, no matter how dire. For me, one of those topics was personal information security. Between national news stories about mass data collection and seemingly never-ending retailer security breach sagas, I have felt it was one of those burned-out topics.

I’ve already been issued a few new credit cards, changed several account passwords and even put a 90-day fraud alert on my credit in response to such safety concerns this year, so when I heard about the most recent information security incident known as Heartbleed, all I could think was, “here we go again.”

Information overload is real, but Heartbleed isn't something to brush off

I’ll admit I was skeptical about Heartbleed at first. Its name, paired with comments deeming it “catastrophic” and even the “end of the Internet” made me question whether this is a real consumer issue or niche technology concern that the media have overblown. Another part of me selfishly hoped I wouldn’t have to take any more steps to protect my information.

I was wrong. Further reading tells me that even for people feeling burned out from all the news about fraud, information breaches and identity theft, Heartbleed is worth paying attention to.

Heartbleed is a major security bug that went undetected for two years, exposing millions of credit card numbers, user names and passwords that were supposed to be safely protected by one of the most common Internet encryption technologies, Open SSL. Websites encrypted with OpenSSL can be identified by an HTTPS in the URL and a closed padlock symbol in the address bar. The Heartbleed bug allowed these sites to be unlocked, revealing sensitive user information stored in approximately two-thirds of all Web servers, according to Netcraft Internet security studies.

There’s a lot of information available about Heartbleed now. If you are looking for a way to effectively deal with the situation but not get more overwhelmed or discouraged, I recommend the following:

Determine how (or if) you’re affected

Before deciding whether this news is worth reacting to, find out just how at-risk you may be. Websites such as Mashable and Digital Trends have simplified this process by compiling lists of popular websites and apps. They note which have and have not been affected, whether you should change your password and even include the companies’ statements on the issue.

Other companies, including McAfee and Google, have released free tools that can analyze sites you have visited to tell if they were affected by the bug but still remain unpatched.

Spending a short amount of time analyzing your situation can save you from taking unnecessary action and direct your focus to your most vulnerable accounts.

Change your passwords … again

If you are like many consumers, myself included, who started changing passwords shortly after the news of Heartbleed broke April 7, your efforts may have just given the thieves fresh material to steal.

Changing your passwords will only help you protect yourself from any results of this security bug if you wait to do so until after the websites have fixed the issue on their end, according to Rapid7 security researcher Mark Schloesser. If you logged in to an affected website and changed your password before that site patched the issue with an update, both your new and old passwords are still unsecured.

Also, just because there are fixes available for this bug does not mean all websites have actually finished patching the problem. Using the aforementioned tools can help you determine when it’s time to change your passwords and if you need to go back and change them again.

I would also recommend checking your email for updates about the Heartbleed situation. I have already gotten a few notifications from affected websites, such as Pinterest, telling me that the site has been updated and I can (and should) change my password now.

Be alert for email, phone, text message scams

Now, I know I just advised you to use your email as another source of information, but that does need to be done with caution.

If you receive an email asking you to “click here” to change your password or update other account information, do not follow the link. Experts are warning consumers to look out for fake password change notifications as cybercriminals attempt to launch campaigns in the aftermath of Heartbleed. So, if you receive an email that looks like it’s from a trusted website, instructing you to make changes, instead of clicking any links, open a new browser tab and type in the website name, just to be safe.

These scams can also come as text messages and phone calls from unknown numbers asking you to divulge personal information with promises to fix your security situation. If you believe a customer service representative really is trying to reach out and help, get off the phone and then contact them yourself to make sure.

Additional security verification measures

Unfortunately, because so much information was exposed for so long, it’s hard for experts to say just how extensive Heartbleed’s damage may be, or become.

“That’s why this is being dubbed the biggest exploit of the last 12 years. It’s so big and encompassing,” Sam Bowling, a senior infrastructure engineer at the Web hosting service Singlehop, told CNNMoney.

Changing your passwords for affected sites is a good start — once you’re certain those sites have updated their security — but the precautions shouldn’t stop there. Changing your security questions and answers is another measure you can take to further protect yourself against Heartbleed repercussions. For example, Yahoo suggests its users add a backup mobile phone number as another form of identity verification, just in case.

Lastly, even though many banking and e-commerce websites are safe from the bug because the majority use a different type of encryption protection, according to, your finances could still be at risk. If you shopped on a website that has not been identified as a site that has been safe from Heartbleed, your credit card number could be vulnerable. Again, check to see if there are any other steps you can take to protect your account and continue to check monthly statements as well as your credit reports at least once a year for unusual activity.

Because, unfortunately, you can never be too careful.

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.