OpenSSL is open-source software that is widely used to encrypt web communications. According to the tool, pictured, doesn't use OpenSSL so is not at risk
For example, it has been demonstrated that hackers can steal other users’ usernames and passwords from Yahoo - although this flaw has now been fixed.

'The big sites fixed the problem very quickly because they have the resources to do so. In some cases the affected sites outsource IT teams, and there will be small and medium businesses to whom this may sound like gobbledegook. This is going to be a problem that remains for a while,' said Cluely.

When asked what users can do, Emm said: 'If people are concerned they can do a quick check using the Heartbleed Test.' 

LastPass’ Heartbleed Checker similarly looks to see when a site’s secure encryption certificate was last valid and warns if the server may be at risk.


The Heartbleed bug lets anyone on the web read the memory of the systems protected by vulnerable versions of the OpenSSL software. 
It compromises secret keys used to identify the service providers and to encrypt web traffic. 
This includes the names and passwords of the users and the actual content, such as credit card numbers.
Attackers can 'eavesdrop' on communications between servers, steal data directly from the them, and use the information to impersonate services and users on other sites or platforms. 
James Lyne, global head of research at security firm Sophos told MailOnline: 'This fault undermines the fundamental trust on the internet for anyone running the vulnerable software and it is widely integrated into the technology we all use every day.
'While the fault has now been fixed, providers must apply it manually, so many still are vulnerable.
'Worse still, the defect was in the code for over two years before being discovered by security researchers - attackers could have discovered this at any time during that period and retrieved large volumes of data without anyone knowing.
'At this point the best thing for consumers to do is to assume their passwords and alike have been leaked. They may not have been, but since it's very hard to actually tell retrospectively, it is better to be safe than sorry. 
'As providers rush to patch [the flaw], consumers should apply typical IT security best practice: ensure you change passwords - once you know the issue has been fixed by your provider; update your computers; and don't use the same password across multiple sites or services. 
'This is not the first defect of its kind and it certainly won't be the last, but it is one of the more serious faults we've seen in recent Internet history.'

'This flaw has highlighted why its never a good idea to use one password across all accounts - it only takes one account to be compromised to put all your accounts at risk,' continued Emm.

'It’s really important moving forward to be vigilant. Keep an eye on your bank statements and accounts and look for any unusual behaviour. Sanity check everything.'

Cluely added: 'If you do want to refresh a password and you're not sure if the site is vulnerable or not, opt for two-factor authentication.

Twitter and Facebook, for example, already offer this tool and then even if a password is stolen, they can't get into the account without the confirmation text message or email code.'

As its name suggests, two-step authentication involves giving users two security steps to go through before being allowed access to their account.

This can include a text message sent to a phone, or a device that generates a unique number every 15 minutes.

Both researchers stressed that its your information and if you don't feel like the provider is offering enough information, or being quick in their response to the problem, call and email them.

Lookout has created an app that will tell you if users a running a vulnerable version of Android on their phone. The app can be downloaded from the Play Store here. While much of the conversation has been about how Heartbleed impacts servers and internet infrastructure, it also affects mobile devices

Lookout's detector app helps you figure out if your device is one of them. This app determines what version of OpenSSL your device is using and then checks to see if the specific vulnerable feature called Heartbeats is enabled
Security firm Lookout has created an app that tells users if they're running a vulnerable version of Android on their phone, pictured. While much of the conversation has been about how Heartbleed impacts servers and internet infrastructure, Lookout said it also affects mobile devices. The app is available from the Play store
Cluely said you should keep contacting them until they make a statement that reassures you.

Elsewhere, security firm Lookout has created an app that tells users if they're running a vulnerable version of Android on their phone.

While much of the conversation has been about how Heartbleed impacts servers and internet infrastructure, Lookout said it also affects mobile devices.

The app determines what version of OpenSSL the device is using and then checks to see if the specific vulnerable feature is enabled.


The heartbleed bug lets hackers eavesdrop on supposedly secure communications.
It was uncovered by a team of researchers from Google Security and Codenomicon in the OpenSSL cryptographic software.
The software offers encryption services, such as when people log into internet banking, or into a webmail service like Yahoo. 
The fault lets a hacker craft an attack which, under the right conditions, will return small chunks of information from the remote system or service. 
For example, it has been demonstrated that hackers can steal other users’ usernames and passwords from Yahoo - although this flaw has now been fixed. 
Experts are predicting around 17 per cent of all websites are affected.
The flaw originated in 2011 which means in theory, if you’ve used any of the affected sites in the last three years, you may be at risk.  
OpenSSL is open-source software that is widely used to encrypt web communications.
It is used to protect websites, instant messaging, email servers, virtual private networks and other communications.
OpenSSL certificates are also used to protect credit card details on select services and the software is used in two of the most widely used Web servers, Apache and nginx.
Research by analytics firm Netcraft found the figure of affected websites is almost 500,000.
The figures vary because many sites use OpenSSL in one way or another, leaving them vulnerable, but a select few use additional measures and encryption techniques to protect data.
Not necessarily. It may be that the Google researchers who discovered the flaw were the first to notice it. However, because a hack wouldn’t leave a trace, it’s hard to tell. 
Security expert Graham Cluely told MailOnline: ‘We don’t know if someone was exploiting it beforehand so I think we shouldn’t leap to any conclusions. Assume the worst and restart from scratch where possible.’
David Emm from Kaspersky Lab urged people to be vigilant; to check their bank and online accounts for any suspicious activity and flag it up to providers as soon as possible. 
The flaw only affects sites that use OpenSSL in one way or another, so if your websites doesn’t use this software then you are not affected.
If you are unsure, speak to your web developer or IT team, where appropriate. 
If you know that your site runs Open SSL, update it as soon as possible and replace your encryption keys.

Heartbleed bug: Am I at risk? Do I really have to change my password?

The discovery of Heartbleed, a flaw in one of the most widespread encryption standards used online, has panicked webmasters and users alike.

The bug has gone unnoticed for more than two years and could have potentially given hackers access to an unlimited array of secure data – everything from passwords and login details to credit card numbers and addresses.

Although it’s difficult to say exactly how many websites have been exposed, the lower estimates are around 500 millionwith a large number of major web companies (Google, Facebook, Yahoo, etc) all forced to update their software to protect against the bug.

However, there have been quite a lot of mixed messages as to whether or not users should change their passwords, with some outlets urging that you should create new ones immediately while others are advising that you wait.

To add to the confusion there’s also been reports of hackers sending out phishing emails related to Heartbleed - in order to trick users into giving up passwords that have yet to be compromised. 

Be on the look out for these and don't follow any links in suspicious looking emails - if you want to change a password go to the site directly.

Which sites are affected?

Most Google sites and services (including Gmail and YouTube - but not Chrome) were affected, as were sites maintained by Yahoo (including Tumblr and Flickr). Facebook was also hit by the bug although Twitter and LinkedIn were not.

Other big sites that have confirmed that they weren’t affected include Amazon, Hotmail and Outlook, eBay, PayPal and all of Apple’s properties – including iCloud and iTunes.  If you want to check whether or not a site you use is still affected then you can do so here – just enter the URL.

Another big worry is for online banking, but thankfully we have some good news in that department. Lloyds, HSBC, RBS, Natwest, Santander and the Co-Op have all confirmed that they were not affected by the bug (they were using different encryption standards). Barclays has yet to issue a statement.

However, this does not mean that your credit card details are completely safe – as they could have been compromised via your Gmail or another third-party site. The security of mobile banking apps is still a developing situation as well.

So do I need to change my passwords?

In a word: yes.  For the sites we’ve listed above as being affected (including Gmail, Yahoo, Tumblr, Flickr, Facebook) it definitely won't hurt to change your password some time in the next couple of weeks.

Although security experts have warned that you shouldn't be tooquick to change passwords, this is because not all website have patched their servers and changing your password before this happens could make matters worse. The sites we've listed above havepatched their servers and if you want to check one we've not mentioned - click here and enter the URL.

Unfortunately, some sites (including Google) have specifically said that users don't need to change their passwords. While it's true that some sites are confident that they fixed the bug a while back, as most of us are guilty of changing our passwords less frequently than we should do (aka never) we think that this is as good an opportunity as ever to be a bit more security-conscious.

What should my new password be?

In lists of the most frequently used passwords online there’s some obvious clangers that we know you’re too smart to use (these include old stand-bys such as ‘123456’ and ‘password’ itself) but just because a password doesn’t look obvious to you that doesn’t make it safe.

This means that you shouldn’t really use any single words that are found in the dictionary,  any words connected to you (place of birth or pets' names), nor should you use any obvious ‘substitutions’ (eg pa55w0rd- more complicated variations are required) or patterns derived from your keyboard layout (eg ‘1qaz2wsx’ or ‘zxcvbnm’).

It’s wise to use a variety of characters in your password (including upper and lower case as well as numbers) but an easy way to get more secure is to start thinking of your password as a passphrase.

The easiest way of increasing the difficulty of a password is by simply making it longer – so try combining multiple words together and then adding in numbers between them. 

You could pick a number of some significance to you (for example a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficulty password: Shoe12Splitting08Watch1970Wizard.

Other suggested methods for making a strong and memorablepassword include taking a sentence or a favourite line from a song as a starting point. So you might take the line "When you call my name it's like a little prayer" and turn it into wuCmNilaLP. Madonna is optional of course, but we think this a fun method - especially if you can work in numbers somewhere.

You should also use different passwords for your different accounts (perhaps the most difficult piece of advice to follow of all) and if you want to be really secure you should also set up two-step authentication where available.