Public urged to protect passwords amidst Heartbleed bug worry

Experts have warned the public to change their computer and phone passwords following a potentially catastrophic online security breach.

The warning stems from the discovery of an Internet bug called Heartbleed, aptly named due to its ability to create a “bleeding leak” of security.

The virus has the ability to evade a website’s security and access passwords and personal data including credit card details.

Neel Mehta, a security researcher with Google, first discovered the glitch simultaneously with a small Finnish security firm called Codenomicon.

They said it is unknown whether hackers had used it prior to its detection as it went unnoticed for two years with no possibility of evidence to decipher whether it was active or not.

A spokesman for Codenomicon commented: “If people have logged into a service during the window of vulnerability then there is a chance that their password is already harvested.”

Heartbleed normally encrypts personal data to make it appear like nonsense to online hackers and when a line of communication is secure users see a padlock on the page.

However, a flaw in programming has meant it is possible to trick the computer at the other end by sending a small packet of data imitating something known as a “heartbeat”, which usually ensures the checking of legitimate online security.

Hackers are therefore able to impersonate websites and steal encryption keys protecting data. The flaw is found in OpenSSL, the software most websites use to maintain the security of data.  

Numerous organisations have installed a “patch” to rectify the flaw, but many still remain vulnerable.

One of the worst affected sites is Yahoo!, who recently issued a warning on Tumblr:

“The little lock icon we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible.”

When contacted by the Mail last night, Britain’s major banks refused statement on whether passwords should be changed.

HSBC said they were “monitoring” the situation, while a Lloyds spokesman said they would “not comment” on security matters.

While many experts have advised the public to change their passwords, a researcher for the IT security company Rapid7 Mark Schloesser, has said that altering a password on websites that have not amended the flaw could expose “both the old and new passwords” to an attacker.

 Bethany Bishop