April 25, 2014.
Hackers can steal personal and confidential information using The Heartbleed Bug. What is it?
Whenever you connect to a remote server with some kind of login and password (website, chat service, e-mail), the data sent back and forth between you and the server is secured (encrypted). This is done so that other people on the internet can't see the data and steal your passwords and confidential information. Encryption software uses a pair of "keys", one public and one private. Public keys are public, of course. But private keys must remain private and "live" on servers. If the private key is ever stolen, then information associated wtih that private key can be decrypted.
An encryption sample. The word "password" becomes "01MsMFTiR3ONFn0hxGHee3r/2g4ndOQN4VPRaSHqFo4=" when encrypted.
The "Heartbleed" exploit allows an attacker to make unlimited requests to a server, and the server responds with what is essentially raw text. Basically, the attacker asks "Hey Server, give me 1,000 characters of text." And so, the server sends a random string of raw text, 1,000 characters long. But this raw text could contain bits and pieces of private keys, personal messages and even financial information. Given enough time, an attacker could duplicate enough relavent information to steal passwords, private keys or any other kind of confidential information. XKCD has a great yet simple comic explaining this. Its pretty much all you need to know:
As you can see, Meg asked for "HAT" plus 500 characters. What she's receiving is "HAT" plus the next 500 characters in the server's memory, which happen to contain some sensetive information (a private key, then further down a password).
What can you do about this? Change your passwords! Most large companies who were affected have already patched their systems. (Affected servers are ones that use OpenSSL version 1.0.1 - 1.0.1f.) If you use any of the following sites, you need to log in and change your passwords for those sites: