Heartbleed: Where You Need to Change Your Passwords

    By Tom's Guide / Paul Wagenseil | Small Business

    The Heartbleed Internet-security flaw is very bad, but contrary to many media reports, you don't have to run out and change all your passwords now. In some cases, it might be better to wait, or not do it at all.

    First, to be clear, you don't need to change any passwords or PINs you use to log into a Windows PC, Mac or mobile device. For the most part, personal computers, smartphones and tablets are not directly affected by Heartbleed.

    MORE: Heartbleed: Who Was Affected, What to Do Now

    Heartbleed affects Web, email and chat servers by undermining the secure connections they make with you. Not all servers are affected, only those that used certain encryption protocols over the past two years. Most servers running Microsoft software, as well as servers that used other encryption protocols, are unaffected.

    Furthermore, although Heartbleed was made public on Monday evening (April 7), some companies got advance warning and patched their vulnerable servers beforehand. Among these were Google, which helped find the flaw, and Facebook. (That doesn't mean they weren't hit before they patched; a Heartbleed attack would have left no trace.)

    Most companies got no advance warning, including Yahoo, which scrambled to patch its servers Tuesday even as security researchers found it was easy to see usernames and passwords as users logged into Yahoo Mail.

    Because of the complexity of the Heartbleed bug, and the way in which the news got out, there are six categories of websites that were affected in different ways.

    The following lists only prominent U.S. websites; for a much more detailed list, see this breakdown of the top 10,000 websites worldwide, compiled Tuesday by former LulzSec hacker Mustafa al-Bassam.

    Sites for which you will definitely need to change your password

    Yahoo, including Yahoo Mail and any Yahoo Group

    Flickr (Yahoo subsidiary)

    Tumblr (Yahoo subsidiary)

    MORE: Yahoo Mail and Heartbleed: How to Secure Your Account

    Sites that have asked users to change their passwords, or are making them do so

    Ars Technica

    IFTTT.com

    Trillian

    Sites that were, or may have been, vulnerable to Heartbleed

    These sites patched their servers after the public disclosure, and it's safe to change your password on them.

    Archive.org

    Dropbox

    DuckDuckGo

    Electronic Frontier Foundation

    Etsy

    Eventbrite

    HideMyAss.com

    LastPass

    Wordpress.com

    Wordpress.org

    Wikipedia

    Woot

    Sites that may still be vulnerable to Heartbleed

    Do NOT change your password on any of these sites until they say they have patched their servers. Otherwise, attackers could capture your new password as well.

    The Atlantic

    Breitbart.com

    The Economist

    Imgur

    IndieGoGo

    Netflix

    OK Cupid

    Outbrain

    Rolling Stone

    Stack Overflow

    Sites that patched their servers before the Heartbleed disclosure

    These sites are at minimal risk, but were nevertheless vulnerable over the past two years while the Heartbleed flaw existed undetected. It wouldn't hurt to change your password on these — and to activate two-step verification on them, and on Yahoo too.

    Blogger/Blogspot (Google subsidiary)

    Facebook

    Google, including Gmail

    Instagram (Facebook subsidiary)

    YouTube (Google subsidiary)

    MORE: How to Turn On Two-Step Verification

    Sites that were never affected by Heartbleed and on which you don't have to change your password

    Amazon

    AOL

    Apple

    Ask.com

    Bank of America

    Bing

    Buzzfeed

    Capital One

    Chase

    CNET

    Craigslist

    eBay

    ESPN

    Evernote

    GoDaddy

    Hotmail

    HSBC

    Huffington Post

    Intuit

    LinkedIn

    Live.com

    Microsoft

    MSN

    Newegg

    The New York Times

    PayPal

    Reddit

    Salesforce

    Target

    TD Bank

    Twitter

    Walmart

    The Wall Street Journal

    Wells Fargo

    Zillow

    Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

    Copyright 2014 Toms Guides , a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
    Subscribe to our mailing list
    * indicates required
    Small Business Services