This past Tuesday, the OpenSSL project disclosed a major security flaw named Heartbleed, which could be used to spy on the secret digital handshake that takes place during secure transactions using Transport Layer Security / Secure Sockets Layer technology.
What does Heartbleed do?
According to the information, sites that use a version of software library OpenSSL are at risk thanks to an error in the code. This error allows an attacker to access certain parts of data that would normally be secured, revealing personal information such as usernames, passwords, and credit card information. However, this may only be the tip of the iceberg.
If an attacker is able to decipher how the site identifies itself, using this vulnerability, they could use the encryption keys to launch attacks and trick people into thinking the e-commerce site is valid. Then, if the hacker controls the master key, they can access the system to review previous transactions without anyone being the wiser.
Considering how long the vulnerability has remained unnoticed and since previous attacks would be untraceable, there is no telling how many people have been affected. Not all is lost though, as many versions of OpenSSL are not affected and a fix is already circulating.
If you have browsed the web during any point of the last two years, you have to assume that your information has been compromised. Consider that sites like Yahoo, Flickr, and Imgur on the list, so judge accordingly.
The best course of action is to avoid affected sites until they have been patched and change your login credentials only after. There is no sense in creating a new password for a site that may still be vulnerable.
LastPass to the rescue
To help the multitudes of consumers affected by the Heartbleed situation, LastPass has just added a new feature to their security tool that highlights websites affected by Heartbleed, if they have taken the necessary steps to combat the vulnerability, and then suggests when to go ahead and update your passwords.
In order to run the security check in LastPass, click on the LastPass extension, and go to Tools. Select Security Check and a new tab will open asking you to take the LastPass security challenge. Click the Start the challenge button, and a list of affected sites will show up.