No, I don’t mean that in a hyperbolic, “hackers are going to steal your identity and basically become an evil pod-person version of you, freak the Hell out!” kind of way. It’s a good idea to change your password often, but it’s an especially good idea if you use a site that employs an OpenSSL version that’s vulnerable to the recently discovered Heartbleed bug. You might be fine, but it’s better to just change your passwords anyway.
The OpenSSL bug doesn’t actually mean that any one site’s database of customer information has been exposed. SSL is the secure system by which your computer and the system it’s contacting make sure they are who they say they are and that your data is going from point a to point b without anyone getting in the middle.
Well, surprise! A coding bug in some common versions of OpenSSL that sites use allows someone to look inside this “secret handshake” and intercept the data that’s being passed back and forth.
Data contained in this secret handshake: friendship.
So, anyone who’s been listening in would’ve been able to lift any secure data right out without anyone ever knowing. Yeah, good luck ever getting your parents to trust online shopping now.
There’s a decent list you can check here to see which sites have been affected, and maybe stay off of them until you’re sure they’ve instituted an updated version of SSL that addresses the bug. As a smart preventative measure, Minecraft‘s servers were taken offline, because they make use of load balancing services offered by Amazon that use the bugged SSL.
We temporarily took down our servers due to this: http://t.co/Fh31TYlRQz A LOT of websites and services are affected by this. Be careful.
— Markus Persson (@notch) April 8, 2014
See http://t.co/tyClzxBhJG for a quick summary on the security breach. #heartbleed
— Kristoffer Jelbring (@KrisJelbring) April 8, 2014
They even had to drop support for an older login method that is beyond repair:
Unfortunately due to this incident, we have been forced to drop support for the legacy Minecraft launcher.
— Kristoffer Jelbring (@KrisJelbring) April 8, 2014
If you’re looking for the silver lining here, it’s that Minecraft and the rest of these sites themselves haven’t actually been hacked. They just had to switch to an updated version of SSL, and everything should be fine again. Still, it’s best to avoid using sites that are vulnerable to the bug until you’re sure they’ve been fixed—especially considering that pretty much everyone on the Internet knows about the bug now.
And maybe change your passwords.
(via Gizmodo, image via Perspecsys Photos)
- A five-year-old discovered an Xbox account security hole
- Minecraft backed out of an Oculus Rift deal because of the Facebook buyout
- What? The Minecraft movie might be live-action?
