Yes, there’s a high chance that your personal and business logins have been compromised by the Heartbleed bug, and there are steps you should take to protect yourself.
In case you’ve been wondering if the oft-mentioned Heartbleed is indeed the new season’s Game of Thrones villain, I have bad news – it is not.
It is the most significant widespread security bug in recent history that affects websites, servers, routers, phones and video cameras.
According to Netcraft, two-thirds of websites are affected by the bug, including Dropbox, Facebook, Gmail and many others (here is a great summary).
Why it matters to you and your customers
The nature of this bug is that ANY information that passes through an infected website is compromised until the encryption protocol is updated.
- Whether you are a startup, software vendor, or a consultant, chances are you are using a lot of cloud tools every day, and doing a lot of sharing internally and with clients.
- If you are an e-commerce or transaction-focused company, no matter how small, you are storing a lot of sensitive personal information.
This means that if you are a reader of this blog, you are very likely a user of MANY affected websites, and may possibly also run a website that has been compromised. You’re also likely to notice quickly as your daily and weekly counterparts are changing their passwords as well.
What you should do right now
As a user
In a password crisis like this, you should update all of your accounts as soon as possible. Andrew Stroup, CEO of CommonKey recommends the following 4 steps:
- Identify whether you’re affected (your own website)
- Identify which of your accounts were impacted AND when they have resolved the bug
- Change your passwords (all of them)
- Utilize strong password methodology/generation going forward
Also, be doubly vigilant for phishing scams about password reset in the next few weeks.
As a website operator
The best practice in this situation is to first get the handle on the fix that is required and then clearly communicate to your customers either right after the fix is in place or with a clear expectation of when it will be. You do not want your customers to change their passwords before you fix the problem and remain at risk.
Best practices for the future
This event has certainly brought to the forefront the fact that most users’ approach to password management is just not secure. Andy Ten, Senior Manager at Hitachi Consulting, said:
“With all of the recent security breaches, many passwords have been exposed – and it’s disappointing to see that many people use one or two passwords for all sites. Best passwords are those that you can’t remember and are unique to each website and service.”
As we have seen a number of times recently, the reputation risk to a brand that leaves itself exposed to a data breach is increasingly high. According to Stephen Singam, Chief Security Technologist at HP Asia,
“Brands should consider using a two-step authentication process.”
That basically refers to the process of sending out a real-time text or app-based code as a second step of the account verification/password change process. While that solution may seem cumbersome at first, it eliminates many a headache on a day like today. Some companies, like Box, a file-sharing service, already offer this as a feature.
For some of us who are even more concerned about security, there are biometric-based security authentication solutions coming on the consumer market that are now affordable and reliable. One great example is Myris from EyeLock, an iris-based password security solution.
Our digital needs are maturing and so are our security needs. Let’s try to keep up!