The bug puts millions of internet users at risk of having all sorts of sensitive data stolen. It's existed for the past two years, but became especially dangerous in the past few days, since news of the vulnerability was made public — giving attackers a chance to intercept data before websites fixed the problem.
Bottom line: there's a good chance any pieces of information you've sent over the web — your passwords, your social security numbers, or your credit card numbers — could have been stolen through no fault of your own.
But now that the information's out there, you do have the chance to do something about it. Here are the four things you need to do right now to protect your information on the web:
1. Reset all your passwords with a password manager
You'll definitely want to reset the password you use to protect any valuable data — things like your email account, your social media accounts, and any banking or online shopping accounts where you have credit card numbers stored.
True, if these websites haven't been updated yet to protect against the Heartbleed vulnerability, then your new password could be stolen too. But, by this point, most sites have since updated their encryption protocols (check here to test if a particular site is now safe, or look at the most current list of sites that are still vulnerable).
Since experts recommend that you use a different, complex password for every site, this is a great time to start using a password manager like LastPass or 1Password. "These services provide two values: they help you generate different passwords at different sites, and they provide cryptographically strong ones," says Michael Bailey, a University of Michigan researcher who works on internet security.
The long, meaningless passwords that are the toughest to crack are the hardest for a human to remember. By creating and storing all these passwords in one secure place, these managers are the best way to protect your data. Of course, doing this creates a new vulnerable target — your centralized collection of passwords — but both these services are well trusted and use robust encryption techniques.
2. Turn on two-step verification
"I strongly recommend two-step to everyone," Bailey says, referring to the option, offered by Google and other sites, that requires two passwords for anyone entering an account from any unknown device. Typically, the first is your normal password, and the second is a single-use code sent to your phone — so if you lose your phone or change your number, this can be tricky.
Still, it's one of the strongest ways of protecting your account, as someone would need physical control of your phone to gain access.
3. Change all of your passwords regularly
The Heartbleed incident is also a good reminder that you should be changing all of your passwords frequently — the higher value you place on the data protected, the more often you should change it.
"It's just great hygiene to change your password frequently," Bailey says. "I change high value passwords every three months or so, and I do a spring cleaning every year where I change all my passwords." Experts vary in their advice — some say as often as monthly, while others say quarterly — but the important thing is not to leave your password stagnant for very long.
4. Make a list of every site you have a password for
Even if you use a password manager, you'll need to manually change your passwords, so it's a good idea to make a list. Separate the sites into high value and less important categories, and change the passwords accordingly.
If you do all this, it'll make it less likely that your data gets stolen in the long term — and if another vulnerability like Heartbleed comes around, you'll have less to lose, since someone stealing one of your passwords won't have access to any of your other accounts.