UPDATE: Google, Yahoo and Facebook say they've patched their systems against Heartbleed, a newly-discovered vulnerability that allows hackers to steal sensitive data.
LinkedIn says it has never used the OpenSSL encryption technology that has been compromised by Heartbleed.
See a wider roundup of who's patched, or not, here.
As always, it's a good policy to often change your password for a site or service, and to not use the same password for multiple sites.
EARLIER: InternetNZ and the New Zealand Internet Task Force (NZITF) is warning website owners that their site’s security may have been breached and private information, including logons and passwords, may have been stolen after the "HeartBleed" vulnerability was identified in the last 24 hours.
Robin Dickie, general manager of web hosting firm Web Drive tells NBR that HeartBleed is not a case of media hype; it's a "very serious threat".
Some US media reports say Yahoo's servers have been compromised - meaning users of Telecom's YahooXtra email service might have to again change their passwords. However, Yahoo is far from alone. It's estimated that two-thirds of the world's web servers are affected by the HeartBleed vulnerability, which allows a malicious code into a server's working memory to gain access to encryption keys, which can then be used to steal sensitive information.
InternetNZ CEO Jordan Carter said website owners are advised to check their sites and patch them where required. Individual users should change their passwords as a matter of course.
“Website owners shouldn’t panic, but quick action is required by those using vulnerable versions of OpenSSL,” said Mr Carter.
The vulnerability in OpenSSL software, commonly used to secure web sites, is easy to exploit and virtually impossible to detect when it has been exploited. Any web site using a vulnerable version of OpenSSL may have been attacked by criminals stealing data or eavesdropping on communications to and from the site. Now that this vulnerability is widely known the likelihood of criminals using this exploit are significantly higher.
To fix the vulnerability, website hosts are advised to follow the below list in the order provided:
- Establish if your site’s servers are vulnerable. This can be done by visiting www.ssllabs.com/ssltest
- Patch the vulnerable servers.
- Revoke/reissue certificates. This is an extremely important step as the servers may have been compromised for some time, without detection.
Patching alone will reduce the risk of future data compromises, however it cannot protect data that has already been captured. As usual, individuals should have separate passwords for different log-ins, and InternetNZ and the NZITF recommend changing those passwords regularly.
What should consumers do?
Security company Symantec says people should be aware their data could have been seen by a third-party if they used a vulnerable service provider
You should monitor any notices from the vendors you use, Symantec says. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.
The company also cautions you should avoid potential "phishing" emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain. That is, visit the website of a service provider such as a bank to change your email; don't click on a link in an email to get to the site.