Epic OpenSSL Security Flaw (affects Yahoo users, among others)

[txlaw]

See the following article:

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

 

The short of it is that if you used Yahoo or any other vulnerable site in the past, it's possible that your password (and other confidential data) has been stolen.  I actually had my Yahoo email contact list stolen, and the culprits have been sending spoof emails from that address to people on my contact list.

 

Could be time to update passwords and actually start using 2-factor authentication. 

[saltybit]

I did a search and didn't find any financial websites affected. Does anyone know if that's indeed the case?

 

(I tried this script https://gist.github.com/takeshixx/10107280 on various sites that I use and didn't find any that were affected, though maybe they have patched things already by the time I got around to it)

 

Probably safer to just change all passwords, after first confirming that the site/service you are using does not have this vulnerability anymore.

[investor-man]

More info: http://heartbleed.com/

 

I'm not sure why Yahoo is singled out, especially since a Google engineer found this, thus identifying an opening they had running for a long time on their own servers. Basically every website out there uses OpenSSL, including all of the banks and financial institutions. Change your passwords! And even better, use multi-factor authentication when available.