The Heartbleed Internet-security flaw is very bad, but contrary to many media reports, you don't have to run out and change all your passwords now. In some cases, it might be better to wait, or not do it at all.
First, to be clear, you don't need to change any passwords or PINs you use to log into a Windows PC, Mac or mobile device. For the most part, personal computers, smartphones and tablets are not directly affected by Heartbleed. [Heartbleed: Who Was Affected, What to Do Now]
Heartbleed affects Web, email and chat servers by undermining the secure connections they make with you. Not all servers are affected, only those that used certain encryption protocols over the past two years. Most servers running Microsoft software, as well as servers that used other encryption protocols, are unaffected.
Furthermore, although Heartbleed was made public on Monday evening (April 7), some companies got advance warning and patched their vulnerable servers beforehand. Among these were Google, which helped find the flaw, and Facebook. (That doesn't mean they weren't hit before they patched; a Heartbleed attack would have left no trace.)
Most companies got no advance warning, including Yahoo, which scrambled to patch its servers Tuesday even as security researchers found it was easy to see usernames and passwords as users logged into Yahoo Mail.
Because of the complexity of the Heartbleed bug, and the way in which the news got out, there are six categories of websites that were affected in different ways.
The following lists only prominent U.S. websites; for a much more detailed list, see this breakdown of the top 10,000 websites worldwide, compiled Tuesday by former LulzSec hacker Mustafa al-Bassam.
Sites for which you will definitely need to change your password
- Yahoo, including Yahoo Mail and any Yahoo Group [Yahoo Mail and Heartbleed: How to Secure Your Account]
- Flickr (Yahoo subsidiary)
- Tumblr (Yahoo subsidiary)
- Ars Technica
These sites patched their servers after the public disclosure, and it's safe to change your password on them.
- Electronic Frontier Foundation
Do NOT change your password on any of these sites until they say they have patched their servers. Otherwise, attackers could capture your new password as well.
- The Atlantic
- The Economist
- OK Cupid
- Rolling Stone
- Stack Overflow
These sites are at minimal risk, but were nevertheless vulnerable over the past two years while the Heartbleed flaw existed undetected. It wouldn't hurt to change your password on these — and to activate two-step verification on them, and on Yahoo too.
- Blogger/Blogspot (Google subsidiary)
- Google, including Gmail
- Instagram (Facebook subsidiary)
- YouTube (Google subsidiary)
- Bank of America
- Capital One
- Huffington Post
- The New York Times
- TD Bank
- The Wall Street Journal
- Wells Fargo