Public advised to change all passwords due to major security flaw

Tumblr, a social media company owned by Yahoo, and a number of Internet security firms have independently advised the general public to change their access passwords “everywhere” due to a vulnerability discovered in major security software.

“Bad news,” a press release from Tumblr reads, “A major vulnerability, known as ‘Heartbleed,’ has been disclosed for the technology that powers encryption across the majority of the Internet.”

According to the L.A. Times, the security flaw affects the “widely popular” OpenSSL security library that helps secure websites that use HTTPS encryption.

The problem was, according to the Times, discovered by Neel Mehta, of Google’s security team, and a team of security engineers at Codenomicon.

On an informational website set up by Codenomicon, the group says, “This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

The site also says a new version of OpenSSL has been released — called Fixed OpenSSL — but that product must now be adopted by any number of system vendors and distributors, appliance vendors, and independent software vendors before the threat can be considered mitigated.

Tumblr goes so far as to suggest users take immediate action.

“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.”