Understanding ‘Heartbleed’: the latest major online security threat

Millions of web users have been told to change all of their passwords as a result of Heartbleed. So what is it and why has it caused so much damage?

The notorious Heartbleed incident has caused major security panic and prompted companies to insist that web users change all their passwords. But it’s also left many users wondering where the problem has come from and how serious the damage is. So what is Heartbleed and how bad is the threat?

What is Heartbleed?

It’s a bug that has been identified in a common web security programme known as OpenSSL. A weakness in the programme means that information that would normally be protected by the software can actually be accessed and stolen. In its own Q&A on the issue, OpenSSL says it has managed to steal user names, passwords, emails, instant messages and documents from itself while testing the site.

Who is affected?

OpenSSL is one of the most common web security programmes in the world, used by the likes of Google, Facebook, blogging platforms and a host of other websites. According to OpenSSL, the two open source web servers use the programme, Apache and nginx, hold a combined market share of 66 per cent. Given the huge user base it therefore covers, the potential for data loss is quite considerable.

What is being done?

A patch has already been released which effectively fixes the problem, so in theory sites that have applied the patch should now be safe. In a post on its own Online Security Blog, Google announced that it has applied the patch to all of its services that were affected. CNET is keeping tabs on major sites to check whether the patch has been implemented yet.

Is there anything users can do?

Data was compromised for a time before the patch was released and implemented, which is why companies are urging web users to change their passwords on every OpenSSL-protected web service they use. This is especially important for those which contain sensitive data, such as online banking and ecommerce platforms. Crucially, users need to check that the service has applied the patch before changing their password – otherwise it will make no difference to the security of the data.