The Biggest Security Breach in the History of the Internet May Have Hacked All Your Information

The news: Security researchers have identified a very, very serious security hole in one of the fundamental technologies protecting personal data all across the Internet. OpenSSL, the cryptographic software library that an estimated two-thirds of web servers worldwide use to connect with end users and guard against digital eavesdropping, has been vulnerable to hackers for as long as two years. It may be the biggest security breach in the history of the Internet.

In a blog post published Monday, the OpenSSL researchers dubbed the critical flaw "Heartbleed," admitted that the glitch allows for easy, untraceable breaches of secure systems, and announced the release of an immediate fix. Originally discovered by Google researcher Neel Mehta, what went wrong with OpenSSL is now a massive problem with the potential to affect the majority of secure servers on the Internet controlling everything from banking to retail to email. Here's how the OpenSSL team described the bug:

Bugs in single software or library come and go and are fixed by new versions. However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.

What's at risk? It's not theoretical. The research team provided evidence that with awareness of the bug, they were able to breach Yahoo security and steal email logins and passwords without leaving a trace. They wrote:

We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

Anyone who noticed and exploited the bug since it was introduced on March 14, 2012 could have easy access to an incomprehensible number of secure systems. And as TechCrunch notes, even encrypted data illegally stolen from servers could eventually be forced open either with more stolen data or other methods, depending on server configuration. Redditors with awareness of the bug claim to have been able to identify vulnerabilities in sites ranging from Yahoo mail to their banks.

What should you do? Until everyone updates their servers, widespread knowledge of the bug could mean open season for hackers. A Tor Project blog post ominously said that "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle." Tumblr advises that you change all of your passwords immediately, including for their own service:


Fortunately, according to The Verge, Google, Apple, and Microsoft are all unaffected, as well as most major e-banking services. This site allows website operators and end-users to check whether a critical service was rendered wide-open by the bug.

Even more troubling, there's nothing end-users can do to know whether or not they've been compromised. Heartbleed is another reminder that much of what we call "security" on the web is chillingly fragile.

How likely are you to make Mic your go-to news source?

Tom McKay

Tom is a staff writer at Mic, covering national politics, media, policing and the war on drugs. He is based in New York and can be reached at tmckay@mic.com.

MORE FROM

How to use the Snapchat Map while everyone else continues to be confused about it

Everything you need to know about the new feature.

Planet 10? Scientists may have discovered a hidden planet in our solar system

There could be a ninth — or even 10th — planet hiding out in our solar system.

Scientists created a robot that will iron your clothes for you

Shut up and take my money.

Moth eyes have inspired the touchscreen of the future

It's going to change the anti-reflection game.

Twitter was flagging tweets including the word "queer" as potentially "offensive content"

Why Twitter put the word "queer" in the same category as violent, sexual imagery.

How Mark Zuckerberg wants to transform society through Facebook Groups

Facebook has a new mission.

How to use the Snapchat Map while everyone else continues to be confused about it

Everything you need to know about the new feature.

Planet 10? Scientists may have discovered a hidden planet in our solar system

There could be a ninth — or even 10th — planet hiding out in our solar system.

Scientists created a robot that will iron your clothes for you

Shut up and take my money.

Moth eyes have inspired the touchscreen of the future

It's going to change the anti-reflection game.

Twitter was flagging tweets including the word "queer" as potentially "offensive content"

Why Twitter put the word "queer" in the same category as violent, sexual imagery.

How Mark Zuckerberg wants to transform society through Facebook Groups

Facebook has a new mission.