Heartbleed – What Can You Do To Stay Safe?

Christian Cawley 11-04-2014

The Heartbleed SSL vulnerability is making headlines around the world – and misreporting in the press and online is causing confusion. How can you stay safe and ensue your personal details aren’t leaked?


What Is Heartbleed? Well, It’s Not A Virus

You’ve probably heard Heartbleed described as a virus. This isn’t the case: in fact, it is a weakness, a vulnerability in servers running OpenSSL. This is the open source implementation of SSL and TLS, the protocols used for secure connections – those that begin https:// rather than the usual http://.


This vulnerability – more commonly referred to as a bug – essentially creates a hole through which hackers can circumvent the encryption. Confirmed on April 7th 2014, it occurs in all versions of OpenSSL except 1.0.1g. The threat is limited to sites running OpenSSL – other SSL and TLS libraries are available, but OpenSSL is employed widely on servers around the web. A fix for the problem exists, but this may not have been applied to the websites you regularly visit for secure activities. These might be online shopping, gambling and other adult themed websites or even social networking.

As a result, all manner of personal and financial information could be at risk.

To get an idea of how big a deal Heartbleed is (and why it is so-called), Ryan has recently put this Internet-spanning bug into context Massive Bug in OpenSSL Puts Much of Internet At Risk If you're one of those people who've always believed that open source cryptography is the most secure way to communicate online, you're in for a bit of a surprise. Read More . We should underline that Heartbleed is an Internet-based vulnerability and therefore affects users of all operating systems, desktop and mobile.


So, it’s a big deal – but what can you do about it?

Ignore The Hype & Don’t Panic

Well, there is one thing you shouldn’t do: panic. A lot has been written across the Internet and in the printed media in the past few days and a lot of it is hype, doom porn that would put the effects of Orson Welles’ famous War of the Worlds radio broadcast to shame.


Much of what you have already seen will have been cobbled together from press releases and other reports by journalists unfamiliar with the terminology and a lack of clear understanding about the risks.


For instance, you might know that you should change your passwords immediately (not entirely true, we should add – see below). But did you know about the phishing risk?

The Phishing Risk

Responsible web services, banks and social networks that have been affected by Heartbleed will drop you an email to let you know that they have repaired the vulnerability and recommend that you change your password.

Naturally, you should do this – but be aware that this situation presents an ideal opportunity to phishers to start sending fake emails, complete with embedded links to the “change password” page – in reality, a website designed to harvest your details.



None of the services you use should recommend you click on a change password link in an email sent unsolicited email. Unfortunately, IFTTT did, as did Pinterest (above). This is bad practice and gives the impression that such a link is acceptable and should be clicked.

Unless you have requested the email, such a link should not be clicked.

Heartbleed password reset emails should not include login links. If they do, delete them, then visit the website by typing the address into your browser (or selecting it from history or favourites depending on how you roll with these thing). From there, reset your password…

…but only if you actually need to at this stage.


Unfortunately, the PR-driven need for companies to look like they are doing something about threats like Heartbleed can prove to be just as damaging as the threat itself.

So, Should You Change Your Passwords?

One of the main pieces of Heartbleed advice in circulation is that you should change your passwords immediately.

All of them.

This, sadly, is an example of the misinformation I referred to in the intro. Say you use the same password for several websites. First of all, this is bad practice and you should reconsider doing it in future (not to mention create more secure passwords Secure Passwords: Generate A Different Password For Every Website Read More ).


Second, if you indiscriminately change all of your passwords, the chances are you’re going to do so on a website that isn’t running on a patched server – one upon which Heartbleed is still a vulnerability.

Inadvertently you have potentially shared your old password and your new password with those that are able to exploit the vulnerability for their identity fraud and spam operations.

As such, you should only change your password on a site-by-site basis when you know they have been patched – that is, the fix has been applied and the vulnerability closed.

Check Which Websites Have Been Patched

Get started by checking which websites are free from the Heartbleed vulnerability.

There are two ways to do this. First, head to Mashable where an up-to-date list of big-name websites affected by Heartbleed can be found, along with advice as to whether you should change your password or not.

For the smaller websites, this excellent search tool will tell you instantly whether or not the site has been patched.

An alternative is the Chromebleed Checker extension for Google Chrome.

If the websites you use have been affected and have not yet patched the Heartbleed vulnerability, avoid logging in until the situation is resolved.

Conclusion: It’s a Waiting Game

Dealing with the Heartbleed storm shouldn’t be a problem for most. Stick to the course we’ve advised above, and don’t change any passwords until you’re instructed to do so by the corresponding websites and services.


You can also use new tools to check if the website you plan on visiting (or even the one you run) has been affected, and whether a fix has been applied.

Most importantly, stay safe and be patient. The potential for Heartbleed to cause massive problems is still there – avoid any websites that require patching until you know that they are now secure.

Image Credits: Bullet Heart via Shutterstock, HTTPS via Shutterstock, Don’t Panic Button via Shutterstock, Password via Shutterstock

Related topics: Online Security, Password, SSL.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Mike
    April 20, 2017 at 1:11 am

    Well, it may not be necessary to change all your passwords, but constantly reminding people about security is a good thing. I still know people who logon with 1,2,3 etc. or leave their logon taped to their monitors. Because if you follow all the recommendations you should do it regularly and these "reminders" will nudge more people to do the right thing and reduce the number of bots hopefully.
    Probably, wishful thinking, I suppose.
    You have a real good article on passwords at MUO, I recommend anyone who is thinking of actually trying to create good passwords to read it.

  2. ichibon
    April 15, 2014 at 4:49 pm

    this is a great article well written on a topic of vast interest. kudos to makeuseof for keeping their readers well informed.

  3. Steve M
    April 15, 2014 at 2:30 am

    Very useful and most appreciated! Thanks team MAKEUSEOF!!

  4. Jo-anne P
    April 15, 2014 at 1:51 am

    Thank you so much for taking the time to put this into terms I understand and take the hype and panic out of the equation. I was really starting to panic each time I logged into facebook, pinterest to name a few especially after all the emails I have been receiving. Now I know and I feel much better equipped to deal with the threat with the proper tools and with the proper knowledge. As always makeuseof comes to my rescue with relevant information and the answers I need. Bravo

  5. John W
    April 15, 2014 at 1:09 am

    And the moral of this story is - look out for sloppy journalism.
    Oh no! It makes my heart bleed to think of all those poor people. Quick! Unplug your router. Change all your passwords ....
    God I hate "on the hour" and "soundbite journalism" and don't get me stared on that "breaking news" ticker tape crap.

    Personally, I allow my news to mature for a week. Try reading weekend news reviews, where the writer has at least had a few days to consider, research and verify the content. Take your technical info from specialist sites, like MUO or PCPro. Try to ignore or switch off from sensationalist tabloid crap ....

  6. A. S. Bhasker Raj
    April 15, 2014 at 12:42 am

    You have clearly explained the big problem of Heart Bleed in simple ways for every one to understand.
    Daily we hear the news of the HeartBleed in every site and people were confused what should be done.
    Thanks for the advise.
    A. S. Bhasker Raj

  7. Christine J
    April 14, 2014 at 11:10 pm

    So what you do if you did change your password from pinterst? Your article was a day late for now what? Thank you.I love learning from all articles..

  8. Pamdo
    April 14, 2014 at 9:58 pm

    Great article thanks. However it was HG Wells not Orson Wells who wrote War of the Worlds????

    • Webbie
      April 14, 2014 at 10:16 pm

      HG Wells wrote it. Orson Welles created a radio broadcast that was so lifelike at the time that it created panic amongst the listeners, who thought that there genuinely was an invasion happening.

  9. johnbuk
    April 14, 2014 at 6:17 pm

    Stephen and Christian, thanks again, I do use Lastpass (Ubuntu - Linux) and have run my passwords through their test - same results.
    Thanks for taking the time and trouble to reply.

  10. johnbuk
    April 14, 2014 at 6:13 pm

    Stephen, yes I agree, and to be honest on some accounts I do use a password template that could, with a bit of thought be tweeked for some other accounts. I generally, however, use one-off type passwords on those accounts I consider "high-value" eg banking, shopping (Amazon etc) and Google.

    I think I'll take your advice anyway and change - for the sake of some hassle it's better than getting hacked.

  11. Stephen R
    April 14, 2014 at 5:59 pm

    I would like to recommend a tool I use, it's called LastPass. You can find out more at

    This is a service which securely stores your passwords, and checks up on the website you're using to see if they have any vulnerabilities.

    For example, when Adobe was hacked, I got a notification from LastPass telling me what I should do. When Heartbleed popped up, I was asked to run a scan so I could be given proper steps to take. These steps included providing me with a list of domains I'm registered on which are affected by Heartbleed, telling me how recently they've updated their security certificate, and advising whether I should update my password now or wait for any particular site.

  12. Johnbuk
    April 14, 2014 at 5:26 pm

    Thanks for the clear and concise article.
    I have, like many people I guess, both Google accounts and Dropbox (amongst many others) and use two step authentication on both using the Google Authenticator on my mobile phone.
    Would you still advocate changing the passwords on these accounts in the circumstances?

    • Stephen R
      April 14, 2014 at 6:07 pm

      If the password on those sites were used on any other sites, it's a risk. Ideally, you would use separate passwords on every site, but if that's not the case you should probably change every password that was a copy of one that's known to be hacked.

      See, if someone hacked dropbox and saw that the password for the email "" was "PolarBear57", they might go to other sites like facebook and attempt logging in with the same credentials, even though this other site may not have been affected.

      (Disclaimer, I made up the email and password. They do not represent any real entities to my knowledge.)

    • Stephen R
      April 14, 2014 at 6:09 pm

      I also wanted to add that my LastPass test asked me to change the passwords for both Dropbox and Google accounts alike. I would recommend the same to you.

    • Christian C
      April 14, 2014 at 6:12 pm

      I would agree with Stephen R, Johnbuk. Many people re-use passwords across websites, so changing both - preferably to different passphrases! - would seem to be the safest bet.

  13. Michael Dowling
    April 14, 2014 at 4:29 pm

    Why not use something like Tunnelbear (a free VPN network) until all your sites have put a fix in?

    • Vc N
      April 14, 2014 at 9:01 pm

      I believe you could still be at risk with something like a Tunnelbear, though a greatly reduced risk admittedly. Plus, a lot of people don't want to go to the trouble to set up a VPN, don't know how, or what ever other reason. Changing your password is the most straightforward security method and it's a good idea to change them periodically anyway, just in case.

  14. Vc N
    April 13, 2014 at 9:04 pm

    I use LastPass, which I got as a reader reward from here (thank you very much), and they have included as part of their password security check a feature that checks your logins against the list of sites affected by Heartbleed which makes it a lot easier if you have a lot of logins for personal and business use or have a family.

    • Stephen R
      April 14, 2014 at 6:02 pm

      Yes! I've used this tool and it really saved me a lot of time. My first instinct was to change my password on every site I've ever used! LastPass saved my time by showing me which ones are actually affected.

    • Steve M
      April 15, 2014 at 2:31 am

      Good to know. I use lastpass too. Thanks

  15. Saumyakanta S
    April 12, 2014 at 7:14 pm

    and tumblr sent a mail to reset password .....

  16. Robert B
    April 12, 2014 at 4:10 pm

    Thanks for a thoughtful article, unlike another that ran here a couple of days ago that made a valiant attempt to in my opinion discredit open SLL and open source software in general. To my knowledge there has not been any indication that there has been any real problems created is there? Other than the reporting of the finding by Google, and I am certain that by the time they released the news about the vulnerability that a patch had already been made and most major web servers had already been patched prior to the news going public. The other article kind of came across like the Sky is Falling kind of article and it is all the fault of crappy encryption by OpenSSL. I can tell you that had this affected a closed source program say one done by Microsoft we probably would never had heard about it until lots of damage had occurred and it probably would have taken a long time to be fixed.

    • Stephen R
      April 14, 2014 at 6:03 pm

      Haha, I agree with you on that point about closed source software.

  17. Linu
    April 12, 2014 at 7:10 am

    Finally someone explain it in a simple language!