Did the Heartbleed bug leak your Yahoo password?

Graham Cluley

YahooThe so-called Heartbleed security flaw found in the OpenSSL cryptographic software library, has created shockwaves for internet companies and users worldwide, and saw some firms scrabbling to fix and update their servers and software.

Throughout yesterday, messages spread that one of the more notable websites to be affected by the “catastrophically bad” bug was Yahoo.

Test sites like the one created by Filippo Valsorda made it easy for anyone to discover if websites they used might be vulnerable to the OpenSSL flaw.

Very quickly, it became clear that popular sites like Google, Facebook, Twitter, Dropbox, were not affected, but other sites (for instance, dating site OKCupid, Imgur, Flickr, Stackoverflow and Eventbrite) were at risk.

Other Web sites shown as vulnerable by Valsorda’s tool include Imgur, OKCupid, and Eventbrite.

Yahoo found to be vulnerable

But some boffins went further than that, eager to confirm if it was actually possible to exploit the flaw to scoop up email addresses and passwords from people who had logged into Yahoo.

For instance, early on security researcher Mark Loman tweeted an image which appeared to demonstrate clearly how the Heartbleed bug could be used to expose Yahoo users’ usernames and passwords to malicious hackers.

Yahoo Heartbleed

In a nutshell, Yahoo was leaking user credentials.

Meanwhile, other researchers claimed to have uncovered hundreds of Yahoo users’ passwords.

The sensible thing to do, with faced like evidence like this, is to steer well clear of Yahoo’s servers until it is confirmed that the issue has been resolved.

The hours ticked by, and eventually Yahoo was no longer vulnerable. They won’t have been the last vendor to fix their product from this flaw, but they were far from the first too.

But, amazingly, the OpenSSL Heartbleed bug appears to have been around for about two years. Which means that – in theory at least – this gaping security hole could have been actively exploited by unauthorised parties for a long period of time.

Martijn Grooten, the newly-appointed editor of Virus Bulletin, was clear in his belief that all Yahoo users’ passwords should be reset as a precaution.

Yahoo is no longer vulnerable to #Heartbleed. They should reset all their users’ passwords though. And that’s only the beginning.

Let’s go back to the question asked in the title of this article. “Did the Heartbleed bug leak your Yahoo password?”

The simple answer is, we don’t know. But it could have.

And because of that, it’s only sensible to assume the worst and take measures now to prevent any harm from being done.

So, how about it Yahoo? Are you going to reset users’ passwords or not?

For more guidance and further reading:

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “Did the Heartbleed bug leak your Yahoo password?”

  1. It's simple. If you logged in yesterday, assume your password has been compromised. I've run a script exploiting this bug for about 15 minutes and could get several passwords.

  2. Will the banks be issuing new credit cards to everyone?

    No, I didn't think so. Banks don't take security seriously.

  3. I will change the passwords on sites which have already fixed this flaw on their side. Otherwise it is a waste of time. The same suggest my password management developer: http://blogen.stickypassword.com/sticky-password-and-the-heartbleed-bug/

  4. Yes, I will be changing my Yahoo password, since it is supposedly now secure. I will change other passwords when other sites claim they are secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.