Why Your Passwords Are At Risk
Last week a serious vulnerability was found in SSL. The Heartbleed bug might not mean anything to you at first, but this is important for several reasons. SSL controls web encryption. Every time that you enter a password on Google, Facebook, or your banking websites, you are using SSL to connect. SSL keeps your credentials encrypted so that no one else can intercept and read them, keeping you safe online.
The discovered problem is extremely serious and affects anywhere from 17% to 60% of all sites on the internet. This means that you should change your passwords as soon as possible. Why? The flaw means that an attacker could gain access to the memory of the web server. When they have access to this memory, they can obtain usernames and passwords (either yours or those used to administer the system), and/or the attackers can obtain the encryption certificates for the website.
The obvious problem is that an attacker obtaining usernames and passwords would have access to your account. This could easily wreck havoc on both your personal and professional lives. Someone could empty your bank account, steal your website, spam all of your contacts, read and disclose confidential customer information, etc. There's virtually no limit to how attackers could abuse your accounts.
The problems caused by stealing the certificates is two-fold:
1) An attacker could set up a website claiming to be related to Google, for instance. It would ask you for your details. Both you and your web browser would believe that you are giving such details to Google because the stolen certificate gives the bad website credibility.
2) If someone were intercepting your web traffic, most of your data from Google, Facebook, etc. would be encrypted. If someone were able to obtain the certificate from the server's memory, they could decrypt all of your historic information.
Google was definitely at risk from the problem and has since fixed it. Same with Dropbox. Facebook may be at risk. Twitter may be at risk. The difficulty in determining who was at risk lies with the companies themselves. Obviously no company wants to immediately come forward and say "We had this problem," but too few companies are stepping forward to say "We're fine, no problem here." The silence is deafening.
Now, just because companies like Google and Dropbox have already fixed the issue does not mean that we don't need to change those passwords. Yes, they fixed the issue, but your credentials could still be out there in the hands of the bad guys.
Finally, when changing passwords, do not use passwords that you use elsewhere. As other sites are also at risk, any passwords that you use elsewhere could be found and used to gain access to your work accounts. Please choose unique passwords for each website. It is okay if you write them down somewhere, or alternatively, you could use a password manager. There are services found online that can assist with password management.
Please forward this email to those in your company who are in charge of IT services.