Here’s a quick list of major services that were affected by the Heartbleed bug and which require a password change. I’ve included services where it’s not clear yet whether you should change your password in the “Yes, change” list. I’ll update this list as more info becomes available.
Two important notes:
- If you use the same password on multiple sites and just one of those sites was affected, you should change your password on all sites. This is especially important with banking sites; although many banks are saying they were not affected, if you use any of your banking passwords on multiple sites, change ’em all.
- If you change your password now, go back and change it again in a couple of weeks. There’s no knowing whether your current password change will be captured by a yet-to-be-fixed website, so a second change is important to give each service time to clean up their act.
YES, CHANGE PASSWORD
- Amazon Web Services (not Amazon.com store)
- Apple
- Box
- Deutsche Bank
- Dropbox
- eBay
- Etsy
- Evernote
- FBI (!)
- Flickr
- GitHub
- GoDaddy
- Google (including Gmail)
- H&R Block
- Healthcare.gov
- IFTTT
- Intuit
- IRS
- Minecraft
- Netflix
- OKCupid
- SoundCloud
- Tumblr
- Wunderlist
- Yahoo (incl. Yahoo Mail)
NO, DON’T CHANGE PASSWORD
- Amazon
- AOL
- Christian Mingle (well, phew!)
- eBay
- Groupon
- Hotmail
- LastPass (earlier was on the change list)
- Microsoft
- Most banks and stock brokers (such as eTrade)
- Outlook
- PayPal
- Target
Other affected sites and services
This short list is just the tip of the heartbleeding iceberg. I have posted a test of over 10,000 sites, originally posted on Github. The original list is in no particular order, so I have created a PDF with the sites sorted alphabetically into vulnerable and not vulnerable (and those with no SSL, and therefore not vulnerable to the bug), which should make it much easier for you to find sites you use that are vulnerable. Note that this list was created a few days ago and so many of these sites will have been patched and no longer vulnerable; however, you’ll still want to change passwords for those that were vulnerable at any time.
You can also run a check on any site using this Heartbleed test tool.
Monitor your accounts!
One of the most worrying things about Heartbleed is that there’s no way to tell whether a service has been compromised and your data swiped. So it’s important that you monitor your bank, trading and other financial accounts closely. If you use online banking services, check them every couple of days so that if there’s any fraudulent activity, you catch it early.
This is something you need to do for the foreseeable future, because if your data has been compromised, there’s no knowing when it may be used. Just make account monitoring, as well as password changing, a part of your routine. It’s something we all should have been doing all along; Heartbleed has given us a push to make sure we do this in the future.
Noooo! That’s so much work!
Yes, for a lot of us dealing with the Heartbleed Bug will be a real pain, and so I recommend you get some help by installing a password manager. I’ve used Roboform for years and can thoroughly recommend it. If you get Roboform Everywhere, which costs $9.95 for the first year (double that in subsequent years), you can install and use it on your Windows and Mac computers, iOS and Android mobile devices, and access it from any web browser from anywhere. Some alternatives to Roboform are KeePass, 1Password and LastPass.
Related reading on Geekgirl’s: