Bad news. A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.
We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.
But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.
This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.
Heartbleed is a very, very big deal, and it’s quite rightly scaring the crap out of people. The response here is more complicated than ‘change your passwords’, and that complication is very important.
Heartbleed dumps a portion of the server’s memory out to the attacker. This chunk of memory can contain sensitive information, including your password.
Here’s the kicker: the more recently a vulnerable server has processed your password, the more likely it is to appear in one of these chunks.
And more importantly, if you change your password, you are risking both your old and new passwords.
What do?
Go to filippo.io/Heartbleed. Type in the domain name of the site you want to check (for tumblr, you would enter tumblr.com) and press “Go!”
If and only if you get a message saying that the site is “not affected”, change your password on that site and any other sites that you use it on. In future, use unique passwords for each site.
If you get a message saying that the site is vulnerable, do not use that site. Keep checking every so often, and only use the site again when you get the “not affected” response.
