This is a nasty one. It’s been out for quite a while, and it’s a flaw in a software library that’s used by a very high number of websites. Check the link above for the details of just how nasty the bug is.
What can readers do to protect their data?
An important part of the necessary response is beyond any individual user’s control. If a website was using the affected version of OpenSSL, its administrators have to apply the needed patch; until they do, the site is still vulnerable (and there may not be much point to changing your password until the patch is applied). CNET is keeping (and updating) a list of the top 100 sites with information about whether they’re still vulnerable, have been patched, or weren’t vulnerable in the first place; it’s a good place to keep checking.
This is also a good time to pay attention to those emails (that you might ignore at other times) from the services you use most frequently; while such emails are frequently little more than advertising, this time around they might not be. At least open them up to check.
You might not want to depend on CNET’s list or wait for those emails, though. Some makers of password managers are currently providing online checkers, as PCWorld noted April 9. Those checkers might not be perfect, but they’re not a bad place to start.
Once a vulnerable site is patched, things are back in your hands, and it’s time to change your passwords on the affected sites. Here’s where a password manager may, once again, be a very useful tool, as it can generate strong passwords for you that you needn’t remember, so long as you can recall your master password. And two-factor authentication is still worth the time and trouble.
Did the Heartbleed Bug affect many of the sites you use? How well did those sites do with communication regarding the bug? Has the situation been resolved? Let us know in the comments.