heartbleed & change password


According to heartbleed.com web-site the compromised personal data are relevant to X.509 certificates (used in the SSL comunication) and NOT the millions of password of email accounts inside the database in google, yahoo, aol... etc etc. For this reasons to change the password for our email accounts is completely useless.


EQ Forum Admin
Staff member
Your statement is incorrect.

The problem isn't with access to the databases but with access to the passwords temporarily available to be stolen from memory when a user logs in.

Many email services use SSL for encrypting web based access (HTTPS port 443) and POP3+SSL (port 995) and/or IMAP+SSL (port 993) access.

Lots of those services use the vulnerable versions of OpenSSL because of the SSL upgrades that were recently required for addressing the BEAST vulnerability.

Both Gmail and Yahoo Mail recommend that users change their passwords.

I recommend enabling 2 factor authentication for services that support it too.

More information - http://www.emailquestions.com/email-articles/9175-heartbleed-average-user-server-owner.html