The Heartbleed Bug is a security vulnerability that causes servers running OpenSSL 1.0.1 to leak login credentials, credit card data, and other sensitive information. SSL is used to encrypt Internet connections to websites, email, VPNs, instant messaging, and other applications. A very large number of major and minor sites have been affected, most likely including ones you log into regularly.

‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.Bruce Schneier

How does it work?

A hacker can use a bug (programmer error) in OpenSSL 1.0.1 to pull 64k at random from a server's RAM; and by repeating this, to effectively listen in on the server's working memory.

See XKCD's 1-page Comic for an illustrated explanation.

When did this happen?

The vulnerability has existed since 2012. Its existence was publicly announced on 7 April 2014.

What to do if you are an Internet user:

  1. Exit your browser, mail, chat, & VPN clients. This will reset your SSL connections.
  2. Do not log into any vulnerable websites, not even to change your password. If your credentials were already been stolen prior to the announcement, they're not more likely to be exploited now rather than earlier. However, it is much more likely that someone is listening in on a leaky server since the Heartbleed announcement on April 7th. So don't talk to leaky servers.
  3. Reset your password on every affected site after it has been fixed.
  4. Always verify the address of the site you're logging into or use your bookmarks. Don't blindly trust any emails about resetting your password, since scammers may take advantage of this opportunity to phish your credentials.

To check if a website is vulnerable, paste its address here: http://filippo.io/Heartbleed/

A list of common websites’ test results from 8 April 2014 can be found on GitHub here.

Read more about Heartbleed on Ars Technica.

What to do if you are a sysadmin:

Read the Technical FAQ.

You may also want to run Qualsys’ SSL Server Test to check your SSL configuration.