Scammers, using this as an opportunity to undertake phishing scams, are sending fake ‘password reset’ emails to lure you into installing malware or revealing your password.
You should expect to receive legitimate notification emails about ‘heartbleed’; however, you should also be cautious about responding to, or clicking links in emails.
More information about how to change your password is provided below.
The heartbleed vulnerability essentially causes online servers to ‘leak’ information, and many websites have been affected. Investigations are continuing to examine what other services and technologies are also affected, and what might be required to address them.
With the issue still unfolding, the advice you might find online about heartbleed can vary.
At present, administrators of sites and services known to be affected should be addressing this issue first, before notifying users to change their passwords.
Unfortunately, scammers are also using this as an opportunity to target users with phishing messages.
You should be cautious about how you respond to emails asking for password resets.
When to change your password for heartbleed
It is important to understand that until the heartbleed flaw has been fixed, the website or service remains vulnerable. Changing your password in the meantime can help to an extent, but only for passwords that may have been leaked up to that point. Information can still be leaked after you’ve changed it, until the flaw is fixed.
Once the issue is fixed, you should change your password.
Affected websites and services can be expected to contact their users only after they have updated their systems.
However, there is no guarantee that they will, or requirement for them to do so.
Changing your password
Over coming days it is likely that you will receive a number of emails advising you to change your password.
When you receive a notification message, the safest way to change your password is to visit the website independently of any links it contains:
Browse to the website by entering the address into your web browser. Do not click links in the email.
Find the option on the website for changing your password. This is often in ‘security settings’ or ‘account settings’.
If you are using the same password on other sites, you should change those as well. We recommend using a unique password for each site to ensure a stolen password from one site does not work on other sites as well.
Spotting phishing emails
Phishing emails can be hard to differentiate from legitimate requests. It is often easy for a scammer to copy text and images from a legitimate email, making the scam look exactly like real emails.
Phishing emails can contain incorrect spelling, poor language and low quality images; however, these features should not be relied upon, as the quality of some phishing emails can be very high.
To spot a phishing email, you need to check that the links in the email do send you to the correct website. This can be difficult, as these addresses can be complex. As described above, it is safer to browse to the website directly, rather than clicking a link in an email.
Be suspicious of any messages you receive from unknown and untrusted sources.
Do not click on links or attachments in a message unless you are completely confident about its content.
You can always navigate to a news source yourself—independently of links in any message—to find a news article.
A list of major websites affected by heartbleed is available on Mashable.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.