Heartbleed bug affects Yahoo, OKCupid sites; users face losing passwords

UPDATE 3: Because of a major bug in OpenSSL, Yahoo users are advised not to log in to their email and instant messaging accounts, and other services until the bug is fixed.
Written by Zack Whittaker, Contributor
Screen Shot 2014-04-08 at 1.19.27 PM
A sign of trouble for Yahoo
Image: Fillippo.io

It's one of the only times you'll see me write this: Seeing the words "yellow submarine" is not a good thing today.

A major flaw in OpenSSL, one of the most popular cryptographic libraries used, has left more than two-thirds of the world's web servers vulnerable to data inspection and snooping by hackers.

This exploit can allow attackers to obtain private keys which can be used to decrypt personal and sensitive data, including passwords, credit cards details, and email addresses. The flaw, according to ZDNet's Steven J. Vaughan Nichols, is due to an implementation problem — a programming flaw — rather than that of an issue with its inherent design.

And until the OpenSSL bug, dubbed "Heartbleed," is fixed by web server operators and major companies alike, users should stay clear of certain websites and check them before hand before visiting.

And that includes Yahoo users, of which hundreds of millions are affected, and also OKCupid, a popular urban dating application. 

Imgur told ZDNet by email it fixed the Heartbleed flaw this afternoon. A spokersperson for the image sharing service said: "We also invalidated sensitive data such as cookies and session IDs, just to be on the safe side," and noted that the firm did not believe any attacks have taken place on the service as a result of the bug.

Convo also said in a statement that it has "instituted the proper patches," and, "to date, we have no evidence of any breach." Its spokesperson added: "In addition, our at-rest encryption ensures that an SSL breach would not lead to any of our server data being compromised."

Yahoo did not return ZDNet's request for comment immediately, but as of 4pm ET, the site appeared to be "not affected," according to an online checker.

Meanwhile, LastPass users should not be affected by the bug, according to the company, which wrote in a blog post on Tuesday:

"LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys."

The security firm, which as its flagship service allows its customers to use one password for all their websites and services, said it also employs a feature called "perfect forward secrecy," which it says ensures when security keys are changed, past and future traffic cannot be decrypted even when a key is compromised.

At the time of writing, LastPAss was not showing as "vulnerable" on the Heartbleed website checker, which allows web users to check sites if they are vulnerable to the OpenSSL flaw before visiting them.

Update at 2:40pm ET and 3:30pm ET: with statements from Imgur and Convo.

Editorial standards