TECH

Heartbleed Bug: 'Don't Panic' Warn Security Researchers - But Others Say Change ALL Your Passwords

10/04/2014 14:21 BST | Updated 10/04/2014 14:59 BST

Security experts have urged internet users not to panic and instantly change their passwords in wake of the Heartbleed bug security flaw, despite suggestions to do so from prominent sites like Tumblr.

The catastrophic flaw in Open SSL, the tech used to protect everything from email to online banking, has theoretically made it possible for hackers to unlock years' of complex, previously encrypted data.

The fear is that by everything from passwords to credit card details could be discovered as a result of the flaw.

But Hugh Boyes, cyber security lead at the UK-based Institution of Engineering and Technology said: "Change your passwords - but only after the affected website operators and internet service providers have implemented the patch to fix the bug.

"Changing your password before the bug is fixed could compromise your new password."

The popular blogging website Tumblr, which is owned by Yahoo!, had previously urged its users to change all their passwords, especially those protecting sensitive data like email and bank accounts, immediately.

Independent security expert Bruce Schneier has also called for calm, but emphasised the seriousness of the web security breach.

9 Gadgets To Help You Avoid Surveillance

"The bug has been patched. After you patch your systems, you have to get a new public or private key pair, update your SSL certificate and then change every password that could potentially be affected. 'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable, including my own."

Users can test their own vulnerability to the Heartbleed bug by visiting a site created by developer Filippo Valsorda, where you can enter web addresses and find out if the bug has been fixed. Once it is confirmed the site has been patched, it's safe to change your password.

"Regularly change your passwords. Depending on how sensitive the application/website is, passwords typically ought to be changed monthly or quarterly. Don't reuse the same passwords on different websites. Try to use a separate password for each website," said Boyes.

The Heartbleed bug was discovered on Monday by a team of security experts, including one from Google, having gone undetected for more than two years.

The bug bypasses the encryption that normally protects data as it is sent between computers and servers, leaving personal and sensitive data vulnerable. It is commonly recognised as the closed padlock that appears in the corner of the web browser to show your connection is secure.