You know that little padlock you see in the corner of your web browser, the one that says you have a secure Internet connection? It pops up when you visit sites like Twitter, Facebook, Gmail, Yahoo, your bank — it’s almost everywhere. Turns out the connection wasn’t as secure as that little icon would indicate.
A bug in popular encryption software called OpenSSL opened the door for hackers to see everything you typed into a secure field on websites using it during the past two years. What do people type into secure websites? Lots of things: credit card information, Social Security numbers, social media posts. Just think about how many emails you send each week. Yeah, it’s as bad as it sounds.
Independent researchers at Codenomicon and Google Security discovered the vulnerability, which impacts about two-thirds of websites, and a fix has already been released (though it’s still being integrated by individual companies). Still, that’s a massive portion of Internet traffic, especially considering this hole has existed for a long time.
I’m not going to go into server communication and how the software works, but it’s important to know how this affects you.
1. There’s Nothing You Could Have Done
Taking measures to protect your sensitive information (i.e. using strong passwords) should always be a high priority for consumers. But in this case, that wouldn’t have helped.
“You could have the best passwords on the planet,” said Adam Levin, chairman and co-founder of Credit.com and Identity Theft 911, “and yet, it could have been discovered by someone, just because they were watching.”
2. We Don’t Know If Information Was Compromised
The existence of the bug has been confirmed, but there’s no way of knowing if anyone exploited it. It’s not traceable, either. Basically, anything you entered into a site using OpenSSL may or may not have been compromised.
3. Control What You Can
There could be a lot of sensitive information in the hands of people who eavesdropped on your communication with sites protected by OpenSSL, and there’s a possibility that can be used fraudulently in the future.
You need to watch out for that. Check your bank accounts regularly for unauthorized purchases, review your credit reports to make sure no one has misused your personal information, and regularly check your credit score for sudden changes — you can check two of your credit scores for free every month on Credit.com.
“You really should change your passwords,” Levin said, “because it’s almost like playing Russian Roulette — you don’t know every site that was vulnerable.”
Resetting your passwords may be a pain, but at least you’ll cut off access to your information by rendering any stolen passwords invalid. Just make sure to wait until the security update is released on the site for which you’re changing the password. Until then, monitor your accounts closely for any issues.
More on Identity Theft:
- 3 Dumb Things You Can Do With Email
- The Risks You Face From Identity Theft
- How Can You Tell If Your Identity Has Been Stolen?