First, don’t panic. This is a serious problem but you need to put it into perspective. While there is clearly a vulnerability, there are so far no reports of the flaw being exploited. And even though this flaw has been around for the past two years, almost all the major sites have fixed it — in some cases in the last few days.
There have been reports of hardware — routers and other equipment — that could be affected but, so far, we have only heard about devices used in big organizations. To be safe, visit the website of the company that makes your router to see if there are any updates.
What you can (and can’t) do
When it comes to protection, there is very little that individuals can do. It’s up to site and service operators to fix their systems. If you’re unsure about systems you use, click on the test site links (below) to check and also be sure to look at CNET’s report on the top 100 sites.
Change your password if your site is now secure
If you can confirm that the sites you’re using are secure, this is a good time to change your password. Actually you should change passwords every few months anyway. Make sure you’re using a unique password for each site, and make sure that it contains uppercase letters, numbers and symbols and don’t use a dictionary word or a common name. This sounds hard, but ConnectSafely’s Tips for Strong Secure Passwords has easy-to-use suggestions. Also, scroll down to view ConnectSafely’s slide show.
Monitor your accounts
The Department of Homeland Security advises that you “Closely monitor your email accounts, bank accounts, social media accounts, and other online assets for irregular or suspicious activity, such as abnormal purchases or messages.”
Beware of ‘phishing schemes’
Also, beware of “phishing schemes.” You might get email that appears to be from banks and other sites, “disclosing” that the site was vulnerable and asking users to reset their passwords. These could be phishing attacks designed to trick you into revealing your log-on credentials to thieves. And some of these attacks are very sophisticated, taking you to sites that look identical to a company’s real site.
If you get such an email DO NOT CLICK on any links. If you feel that it’s time to change your password (and you should once you know the site is no longer vulnerable), type in the site’s URL in your browser and navigate to the password reset page. It’s less convenient than clicking on a link but a lot safer. Here are tips for safe, secure and unique passwords.