Heartbleed was so named because the vulnerability results from a missing bounds check in the handling of the Transport Layer Security (TLS) Heartbeat extension, within the open-source OpenSSL cryptography library, used by approximately 500,000 secure web servers (close to 20 percent) around the world. These servers were believed to be vulnerable to an attack, which would allow theft of the servers' private keys and users' session cookies and passwords. Extensive research showed that no attacks had taken place up to the time the patched version of OpenSSL was released. That means no passwords were compromised up to that point. Still, those passwords remained vulnerable until the patch was applied. But if you changed your password before the patch was applied, then the new password (along with all associated data necessary for the change) was now vulnerable.
- Download the extensions for Chrome and Firefox that check websites' vulnerability to Heartbleed, which you can find out about in this recent article.
- Whenever you use HTTPS to view a website, use the browser tool to see if the site is vulnerable or has been patched (or doesn't need to be patched). If it's vulnerable, Get Out of There -- right away. If it's been patched, log in then immediately change your password.
There's no telling what bugs or exploits will turn up in the future, so rather than urge you to slavishly change passwords every 30-60-90 days, the best advice is to use different passwords for every site you log into. That way, if anyone is compromised it's only that one site - and one account - that's vulnerable.
-inputs from Dave Kearns, Dark Reading, InfromationWeek