Your Twitter Password Was Safe From Heartbleed. Other Social Sites? TBD.
News of “Heartbleed,” one of the most catastrophic security vulnerabilities the Web has ever seen, broke earlier this week. In a nutshell, it’ll soon be time to change almost every website password you have.
Almost, but not all.
If you’ve got a Twitter account, your password and other account information wasn’t accessible to hackers via the Heartbleed flaw, according to the company.
“We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability,” Twitter said Tuesday afternoon. A spokesman would not disclose the exact technical reasons Twitter’s systems weren’t vulnerable to the Heartbleed flaw.
Heartbleed has been an active flaw in OpenSSL — a set of encryption software widely used across the entire Web to safeguard user information — for the past two years, according to security outfit Codenomicon, which discovered the flaw. That means that any company — from banking institutions to Internet service providers — which used vulnerable versions of the SSL software from 2012 to today could have been susceptible to attack.
It could also include some of your personal social sites, some of which have already acknowledged potential past breaches.
Twitter’s assurance, for instance, is markedly different from other companies, like Yahoo’s Tumblr, which acknowledged that it had issued a recent patch that fixed the issue, but still remained vulnerable for a long time.
“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue,” Tumblr said on Tuesday. “But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.”
The same goes for Facebook.
“We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed, and we’re continuing to monitor the situation closely,” a Facebook spokesman said. The company did not state exactly how long before Heartbleed was made public that it updated its security protections.
“We haven’t detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites,” Facebook said.
A fair point, and also a good reminder for everyone to start updating the many passwords they use to log in to sites across the Web. But something to remember before you start going down your password list: Make sure the sites have updated their own security settings before you make any changes, or it could be all for naught.