On Monday, a serious security vulnerability in OpenSSL – software which two-thirds of the Internet uses to keep connections secure – was announced and nicknamed “Heartbleed.” This vulnerability allows an attacker to steal sensitive data (such as account information and passwords) from various web services and clients.
We want all of our users to know that Lookout’s website was not affected by the vulnerability, however, some of Lookout’s other Internet-facing infrastructure was. We took care to protect our users as soon as possible, patching our systems and replacing all of our SSL certificates within hours of the bug’s public release.
However, because two-thirds of all active websites depend on OpenSSL to communicate securely, some of the other services you use may not be patched yet.
How can you protect yourself?
Look out for communications from the services you use. As companies patch this vulnerability and secure their own systems, some may send emails or other communications to let you know. Not all services will be communicating about this vulnerability, but you can always contact them to ask if their systems are secure.
Get a new password ready. If you receive communications from any of your service providers telling you that their systems are secure, this is the best time to change your password. Changing your password before a system is secure could actually make your new password easier to intercept.
Download Lookout’s Heartbleed Detector. The OpenSSL vulnerability also impacts some Android devices. Although the likelihood that you will encounter an exploit is low, our Heartbleed Detector app will let you know if your operating system is affected by the Heartbleed bug and if the vulnerable behavior is enabled. You can download the app in Google Play now.
To learn more about the Heartbleed vulnerability, you can read our blog post for more details: https://blog.lookout.com/blog/2014/04/09/heartbleed/.
(article from information mailed out by Lookout Security)