A lot of folks are going around at the moment telling the public to change all of their passwords in response to the serious Heartbleed internet security bug.
That’s awful advice.
You should only change your password in response to the Heartbleed bug after a website or internet company has:
1. Checked to see if it is vulnerable
2. Patched its systems
3. Grabbed a new SSL certificate (having revoked their previous one)
4. Told you it is fixed
The danger is that if you change your passwords *before* a website has been fixed, you might actually be exposing your credentials to *greater* risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL.
http://grahamcluley.com/2014/04/heartbleed-bug-passwords/Affected sites where you *should* change your password include Facebook, Google/Gmail, Yahoo/Yahoo Mail and Amazon Web Services, according to the
BBC. On other websites you should only change your password if you use the same password for multiple websites.
If you receive an email from a website stating that you should change your password
don't follow a link in the email, it could be the email is a carefully constructed phishing email designed to replicate a genuine email, in which case you'd be giving away your current password, see
In the wake of Heartbleed, watch out for phishing attacks, disguised as password reset emails. Instead, visit the website via e.g. a link you've saved in Bookmarks / Favourites and then change your password.
GGi isn't affected by the Heartbleed bug.