Did the Heartbleed bug leak your Yahoo password?


YahooThe so-called Heartbleed security flaw found in the OpenSSL cryptographic software library, has created shockwaves for internet companies and users worldwide, and saw some firms scrabbling to fix and update their servers and software.

Throughout yesterday, messages spread that one of the more notable websites to be affected by the “catastrophically bad” bug was Yahoo.

Test sites like the one created by Filippo Valsorda made it easy for anyone to discover if websites they used might be vulnerable to the OpenSSL flaw.

Very quickly, it became clear that popular sites like Google, Facebook, Twitter, Dropbox, were not affected, but other sites (for instance, dating site OKCupid, Imgur, Flickr, Stackoverflow and Eventbrite) were at risk.

Other Web sites shown as vulnerable by Valsorda’s tool include Imgur, OKCupid, and Eventbrite.

Yahoo found to be vulnerable

But some boffins went further than that, eager to confirm if it was actually possible to exploit the flaw to scoop up email addresses and passwords from people who had logged into Yahoo.

For instance, early on security researcher Mark Loman tweeted an image which appeared to demonstrate clearly how the Heartbleed bug could be used to expose Yahoo users’ usernames and passwords to malicious hackers.

Yahoo Heartbleed

In a nutshell, Yahoo was leaking user credentials.

Meanwhile, other researchers claimed to have uncovered hundreds of Yahoo users’ passwords.

The sensible thing to do, with faced like evidence like this, is to steer well clear of Yahoo’s servers until it is confirmed that the issue has been resolved.

The hours ticked by, and eventually Yahoo was no longer vulnerable. They won’t have been the last vendor to fix their product from this flaw, but they were far from the first too.

But, amazingly, the OpenSSL Heartbleed bug appears to have been around for about two years. Which means that - in theory at least - this gaping security hole could have been actively exploited by unauthorised parties for a long period of time.

Martijn Grooten, the newly-appointed editor of Virus Bulletin, was clear in his belief that all Yahoo users’ passwords should be reset as a precaution.

Yahoo is no longer vulnerable to #Heartbleed. They should reset all their users’ passwords though. And that’s only the beginning.

Let’s go back to the question asked in the title of this article. “Did the Heartbleed bug leak your Yahoo password?”

The simple answer is, we don’t know. But it could have.

And because of that, it’s only sensible to assume the worst and take measures now to prevent any harm from being done.

So, how about it Yahoo? Are you going to reset users’ passwords or not?

For more guidance and further reading:

Tags: , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , ,

4 Responses

  1. Fabio

    April 9, 2014 at 6:29 pm #

    It’s simple. If you logged in yesterday, assume your password has been compromised. I’ve run a script exploiting this bug for about 15 minutes and could get several passwords.

  2. drsolly

    April 10, 2014 at 12:06 am #

    Will the banks be issuing new credit cards to everyone?

    No, I didn’t think so. Banks don’t take security seriously.

  3. Lucas

    April 10, 2014 at 9:23 am #

    I will change the passwords on sites which have already fixed this flaw on their side. Otherwise it is a waste of time. The same suggest my password management developer: http://blogen.stickypassword.com/sticky-password-and-the-heartbleed-bug/

  4. Gene

    April 10, 2014 at 8:35 pm #

    Yes, I will be changing my Yahoo password, since it is supposedly now secure. I will change other passwords when other sites claim they are secure.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.