back to top

No, You Shouldn't Change Your Passwords Just Yet

Revelations that 500,000 sites have been deemed vulnerable have sparked suggestions users should change their passwords. Here's why you shouldn't do it, at least not yet.

Posted on
Users who change their passwords before websites update any security vulnerabilities may put their data at more risk.
Heartbleed / Via

Users who change their passwords before websites update any security vulnerabilities may put their data at more risk.

An enormous security flaw called Heartbleed that has left more than 500,000 sites vulnerable to attackers has resulted in many commentators suggesting that internet users should change their passwords to any websites that might be at risk. These include the likes of Facebook, Tumblr, and Google, according to a list on Mashable.

But internet security experts have said people should not change their passwords just yet. Instead, they should wait until the company sends them a message, such as the one sent by If This Then That on Wednesday night.

A security researcher with Rapid7, Mark Schloesser, told The Guardian that users could leave themselves in a worse situation if they change their passwords before any vulnerabilities are fixed, revealing both their former and new passwords in one go.

He said: "The estimate is that the larger providers all get patched within the next 24–48 hours [Thursday to Friday afternoon] and I would agree that people should change their credentials when a provider has updated their OpenSSL versions."

Trey Ford, also at Rapid7, added that users should avoid entering any sensitive information on vulnerable sites.

This is because the flaw in the SSL keys means an attacker could intercept communication between the user and the server.

Ford said: "Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website."

But there are a number of websites that have already updated their security flaws and recommended for users to update their passwords.

Here's a list:

1. Tumblr.

Tumblr / Via

"Bad news. A major vulnerability, known as 'Heartbleed,' has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.

We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue."

2. Facebook.

Facebook / Via

"We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed. We haven't detected any signs of suspicious account activity, but we encourage people to ... set up a unique password."

3. Google.

"We have assessed the SSL vulnerability and applied patches to key Google services."

4. Yahoo.

Yahoo / Via

"As soon as we became aware of the issue, we began working to fix it ... and we are working to implement the fix across the rest of our sites right now."

5. Dropbox

Dropbox / Via

"We've patched all of our user-facing services & will continue to work to make sure your stuff is always safe."

6. OkCupid


"We, like most of the Internet, were stunned that such a serious bug has existed for so long and was so widespread."

A new website has been released that allows users to see whether your favourite sites have been affected by the security flaw.

Filippo Valsorda / Via

It was launched by an Italian consultant Filippo Valsorda who specialises in cryptography and security.