**Graphic updated on **16/04 @ 17:37 CEST - (Netflix changes)

The Heartbleed bug - a major security flaw in OpenSSL - has seriously disrupted the online community this week. OpenSSL is one of the most popular pieces of encryption software, and the bug has potentially exposed millions of user details to hackers.

Some online service providers acted quickly, patching the flaw as soon as it was announced. However, many others have yet to act.

If a service provider is yet to apply the patch, you should not change your password. Instead, wait until you receive confirmation from an official channel that the servers have been patched. Only then should you log in and update your details.

Conflicting reports have led to panic - nobody seems to know which sites have been affected, or whether their servers have been patched.

To dispel the confusion, we’ve created a simple password change checklist. It identifies the major sites which have been affected by Heartbleed - and whether they’ve patched their servers yet.

Link to the full graphic

Heartbleed - What passwords to change

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.
Tags: Security

Comments

James Bryce

12.04.2014

Very helpful list, it’s nice to have a clear breakdown with all the news stories out at the moment. Thanks guys!

Barry Rueger

13.04.2014

If a service provider is yet to apply the patch, you should not change your password. Instead, wait until you receive confirmation from an official channel that the servers have been patched.

I probably have log in IDs at at least 50 to 75 web sites here and there. To date not one of them has e-mailed me to say “Hey we fixed it, now change your password.”

This advice is pretty much useless unless system admins are pro-active in letting users know when systems have been patched.

David

13.04.2014

I seriously question the advice that passwords not be changed until the site has announced that it has applied the fix. This simply leaves the user vulnerable if in fact their password is compromised.

I think better advice is to identify those sites where compromise would have a serious impact … e.g., a bank or investment account … and change those passwords frequently … e.g., daily … until AFTER the fix is applied … be sure to make one last change AFTER the fix.

Of particular concern would be any email providers for accounts which could be used to recover password access to other accounts.

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.