The so-called Heartbleed security flaw found in the OpenSSL cryptographic software library, has created shockwaves for internet companies and users worldwide, and saw some firms scrabbling to fix and update their servers and software.
Throughout yesterday, messages spread that one of the more notable websites to be affected by the “catastrophically bad” bug was Yahoo.
Test sites like the one created by Filippo Valsorda made it easy for anyone to discover if websites they used might be vulnerable to the OpenSSL flaw.
Very quickly, it became clear that popular sites like Google, Facebook, Twitter, Dropbox, were not affected, but other sites (for instance, dating site OKCupid, Imgur, Flickr, Stackoverflow and Eventbrite) were at risk.
Other Web sites shown as vulnerable by Valsorda’s tool include Imgur, OKCupid, and Eventbrite.
But some boffins went further than that, eager to confirm if it was actually possible to exploit the flaw to scoop up email addresses and passwords from people who had logged into Yahoo.
For instance, early on security researcher Mark Loman tweeted an image which appeared to demonstrate clearly how the Heartbleed bug could be used to expose Yahoo users’ usernames and passwords to malicious hackers.
In a nutshell, Yahoo was leaking user credentials.
Meanwhile, other researchers claimed to have uncovered hundreds of Yahoo users’ passwords.
The sensible thing to do, with faced like evidence like this, is to steer well clear of Yahoo’s servers until it is confirmed that the issue has been resolved.
The hours ticked by, and eventually Yahoo was no longer vulnerable. They won’t have been the last vendor to fix their product from this flaw, but they were far from the first too.
But, amazingly, the OpenSSL Heartbleed bug appears to have been around for about two years. Which means that – in theory at least – this gaping security hole could have been actively exploited by unauthorised parties for a long period of time.
Martijn Grooten, the newly-appointed editor of Virus Bulletin, was clear in his belief that all Yahoo users’ passwords should be reset as a precaution.
Yahoo is no longer vulnerable to #Heartbleed. They should reset all their users’ passwords though. And that’s only the beginning.
Let’s go back to the question asked in the title of this article. “Did the Heartbleed bug leak your Yahoo password?”
The simple answer is, we don’t know. But it could have.
And because of that, it’s only sensible to assume the worst and take measures now to prevent any harm from being done.
So, how about it Yahoo? Are you going to reset users’ passwords or not?
For more guidance and further reading:
- The Heartbleed bug: serious vulnerability found in OpenSSL cryptographic software library
- OpenSSL advisory
- Test your server for the Heartbleed bug
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “Did the Heartbleed bug leak your Yahoo password?”
It's simple. If you logged in yesterday, assume your password has been compromised. I've run a script exploiting this bug for about 15 minutes and could get several passwords.
Will the banks be issuing new credit cards to everyone?
No, I didn't think so. Banks don't take security seriously.
I will change the passwords on sites which have already fixed this flaw on their side. Otherwise it is a waste of time. The same suggest my password management developer: http://blogen.stickypassword.com/sticky-password-and-the-heartbleed-bug/
Yes, I will be changing my Yahoo password, since it is supposedly now secure. I will change other passwords when other sites claim they are secure.