On Monday 7th April 2014, news of the Heartbleed bug broke. The bug affects roughly 70% of internet websites that transmit their data over a secure channel using OpenSSL. Heartbleed was a programming error in the OpenSSL code that is used by a huge swathe of the world’s software to manage the secure connections between web browsers and web servers. By exploiting this programming error it was possible for an attacker to view the contents of this “secure” channel between your web browser and the server.
This bug does not affect your my1login account as your key phrase is not sent or stored by my1login and any passwords you store within your account are only sent to my1login in encrypted form. So, even if the SSL packets to and from my1login were viewable, all the attacker would see is encrypted data that’s useless to them.
Heartbleed could affect your interaction with sites that do not employ the same levels of security as my1login. So, where you have entered your my1login passwords on websites that were vulnerable there is a risk that an attacker could have captured your passwords.
How does it affect my1login ?
OpenSSL is used by my1login for TLS/SSL so would technically be ‘vulnerable’ to this bug. my1login patched our servers on 8th April to remove the vulnerability. The bug was around for some time before being discovered. While it’s unlikely that the my1login SSL keys were compromised, we’re taking the precaution of having our SSL certificates renewed as well.
While Heartbleed is a serious issue for some providers, my1login actually protects users against the vulnerability. With my1login your usernames, passwords and secure notes are encrypted before they are transmitted to and from my1login, so even if an intruder attempted the exploit, they would only obtain encrypted data that is useless to them.
What you should do next
Your my1login key phrase will not have been exposed, even if my1login’s certificate was compromised. It is therefore not necessary for you to change your my1login key phrase.
In relation to other websites you use, these will have been vulnerable to this OpenSSL bug, as those sites, unlike my1login, will not have encrypted your data before it was transmitted over SSL.
There is some advice out there to change every single password you have. For large enterprises this is an expensive undertaking. Our advice would be to change the passwords on your high value websites immediately and carry out a risk assessment on the remaining. Before changing the passwords though, check that the website has patched the vulnerability and updated their SSL keys. You can check this here: http://filippo.io/Heartbleed/
A my1login account helps reduce the cost of large scale password changes by centralizing these assets. Additionally, our Password Generator tool enables you to easily create new, strong, passwords to protect your accounts.
Additionally, be wary of phishing attacks from spoofed emails and websites asking you to reset passwords. These often follow incidents like these where hackers take advantage of a previous hack to engineer passwords from unsuspecting web users. You can check out our article on phishing to keep yourself protected.
If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.