If you needed further motivation to change your passwords, it turns out that the NSA has been utilizing the giant security vulnerability known as the “Heartbleed bug” to gather information about Internet users,Bloomberg reports.
The bug, which takes advantage of an unnoticed programming error in a widely used encryption standard to trick web servers into giving up valuable user data, has affected nearly everyone on the Internet.
As we explained on Tuesday, as many as 66% of websites use the software containing the flaw, including major services like Facebook, Yahoo, and Gmail.
That makes it an extremely useful tool for the NSA’s data collection efforts, though its use throws into question the NSA’s intentions and efficacy. After all, it’s difficult, maybe even impossible, to determine which puts American cybersecurity at greater risk: leaving American citizens’ data vulnerable for two years to a method that doesn’t leave a trace, or the threats that the NSA is fighting against using the bug itself.
So what can I do to protect myself?
Since the vulnerability has been in OpenSSL for approximately two years and utilizing it leaves no trace, assume that your accounts may be compromised. You should change passwords immediately, especially for services where privacy or security are major concerns.
Meanwhile, the researchers who discovered the flaw let the developers behind OpenSSL know several days before announcing the vulnerability, so it was fixed before word got out yesterday. Most major service providers should already be updating their sites, so the bug will be less prevalent over coming weeks.