As many of you are already aware, a very serious vulnerability (a software bug) named ‘Heartbleed’ was discovered in a piece of code that is used by the majority of websites to protect the transfer of confidential information. PasswordBox was responding to this issue within the first hour of the initial disclosure and has confirmed that AT NO TIME were PasswordBox systems or PasswordBox user data vulnerable to the Heartbleed bug.
Here are the key points you need to be aware of:
- The bug has existed in releases of OpenSSL, an open-source code library that is used by the majority of websites, since March 2012. There is no hard evidence that hackers were aware of it, or exploited it, but if they had, it would likely have left no trace. It is possible that your passwords or other confidential information were leaked through the websites you used. To clarify, no PasswordBox data was ever compromised – but users may still be affected due to data compromises that occurred on other websites that did use the vulnerable OpenSSL code.
- If you have an account with a site that was vulnerable at any time, even if it has since been fixed, you should change that password immediately. Please visit the resources below for information on which websites were vulnerable to Heartbleed:
List of who was vulnerable as of April 8th:
- Even if the bug was not exploited before April 7th, now that it has been publicly disclosed, it will be. DO NOT USE any website that is still vulnerable. You can check if a site is still vulnerable right now by using this tool.
- This vulnerability can also be exploited to attack browsers, instant messaging clients, VPN clients, BitTorrent clients and other desktop software that uses SSL. It is very likely that attacks like this will start now that the bug has been disclosed. Protect yourself by updating your software as soon as an update is available, as it will have the necessary patches.
If you have questions or concerns about Heartbleed and the security of your data, we want to address them. Get in touch with us by email to [email protected] , or connect with us on Facebook and Twitter.
Jefferson Graham from USA Today shares his thoughts on why you should use a password manager and how to chose the right one. Watch the full USA Today video here.
Our Chief Security Officer, Dr. Richard Reiner, speaks with BetaKit about how PasswordBox safeguarded user data from Heartbleed and what users should do today to protect their other accounts. Read the full BetaKit article here.
Geoffrey Fowler of the Wall Street Journal shares some important tips on how and why you should change your passwords. Read the full Wall Street Journal article here.