You need to change your password. Now.

Short & Simple Version: Sites such as Yahoo, Flickr & OKcupid have a bug where someone could read random information from their servers very easily. This includes random usernames/passwords. Whilst we have no idea how or even if this has been exploited, you should change your passwords ASAP for all major services. Want to know more about securing against these kinds of threats? Email me kieran@peersy.com or subscribe to the site.

A new vulnerability in OpenSSL has been discovered in which an attacker can read encrypted data from popular websites including, but not limited to, password & login details. A technical explanation can be found here at the excellent Heartbleed.com website.

From Heartbleed.com…

Credit to Heartbleed.com

Credit to Heartbleed.com

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

In short; this is bad. We don’t know the extent of the damage, or if in fact anyone has used this to exploit a major site, but the potential for damage can not be understated. A more simplistic explanation has been posted on reddit by user mrsifter

If anyone is in any doubt as to how far reaching this is, here is a sample from a test run against the top 1000 websites earlier today which has been kindly loaded to GitHub by user Musalbas

Testing yahoo.com… vulnerable.
Testing stackoverflow.com… vulnerable.
Testing kickass.to… vulnerable.
Testing flickr.com… vulnerable.
Testing sogou.com… vulnerable.
Testing adf.ly… vulnerable.
Testing outbrain.com… vulnerable.
Testing archive.org… vulnerable.
Testing addthis.com… vulnerable.
Testing stackexchange.com… vulnerable.
Testing popads.net… vulnerable.
Testing avito.ru… vulnerable.
Testing kaskus.co.id… vulnerable.
Testing web.de… vulnerable.
Testing suning.com… vulnerable.
Testing zeobit.com… vulnerable.
Testing beeg.com… vulnerable.
Testing seznam.cz… vulnerable.
Testing okcupid.com… vulnerable.
Testing pch.com… vulnerable.
Testing xda-developers.com… vulnerable.
Testing steamcommunity.com… vulnerable.
Testing slate.com… vulnerable.
Testing scoop.it… vulnerable.
Testing hidemyass.com… vulnerable.
Testing 123rf.com… vulnerable.
Testing m-w.com… vulnerable.
Testing dreamstime.com… vulnerable.
Testing amung.us… vulnerable.

Seriously, Change your password.

Sources:

http://filippo.io/Heartbleed/
https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/
http://www.reddit.com/r/sysadmin/comments/22ijpj/can_someone_eli5_what_the_openssl_vulnerability/cgng7hi