First of all, don’t panic. it’s still unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.
Unlike a conventional security breach where malicious attackers break into a site and download a bunch of encrypted usernames and passwords – usernames and passwords they have to crack open, which can be extremely difficult if you use a good password – this bug lets attackers grab information in relatively tiny chunks of data as it’s flowing through a server.
That means that you’d have to be logging into a site or entering your credit card number at the exact time an attacker is grabbing a chunk of data. Unfortunately, this bug has shown that sometimes usernames, passwords and other protective data can be grabbed unencrypted, meaning that once it’s grabbed, there’s no need to then crack it.
Ultimately, you’ll need to change your passwords, but that won’t do any good until the sites you use adopt the fix. It’s also up to the Internet services affected by the bug to let users know of the potential risks and encourage them to change their passwords.
You can find out if your favorite server is vulnerable by entering a URL or host name on the Heartbleed Test site. CNet is running a constantly updated list of the 100 most popular vulnerable servers.
After a site has confirmed it has taken all the steps to protect against the bug, dump all the history and cookies out of your Web browser.
Then change your passwords. As we have told you several times in the past, make your new password as strong as possible, using a combination of upper and lower case letters and numbers, and symbols. Consider using a password manager program.
For more information about Heartbleed, we recommend these articles: