If you haven’t updated your password since 4/7, we strongly encourage it.
Google researchers recently found a bug in the security software behind most websites (even Yahoo and Twitter). As a precaution, we strongly encourage all of our users to update their password. It’s quite easy: complete our forgot-password form, click the emailed link, then set your password to something new.
At Refund Retriever we take your security very seriously, so we are quickly responding to this issue. Two thirds of all websites – including major sites with large security budgets – have the software in question, so you may receive more emails like this one. It would be wise to update any other important passwords you use, too. If you operate a website using security measures or requiring PCI compliance, you have a new project.
We are suggesting this as a precautionary measure. We have seen no evidence that any data has been compromised. We have already mitigated the issue on our end, by installing updates and re-issuing security certificates (click your browser’s lock symbol for details), along with other measures.
Now’s a good time to revisit some password tips. Leading experts agree these habits will reduce your risk for many different kinds of threats:
- Don’t use the same password everywhere
- Change your passwords regularity – such as weekly / monthly for the most-important passwords, and quarterly / yearly for less-important ones
- Use a password manager – this makes the previous two tips much more easy to do, along with many other benefits. LastPass and KeePass have great reputations, and there are others out there
Again, security is a top priority, as we’re happy to demonstrate today. For more details, these are some wonderful links:
- Forbes has a good write-up about the issue
- Noted cyber-security expert Bruce Schneier has insightul commentary and links
- Freedom to Tinker has useful advice on how to respond to the bug
- Krebs on Security also has useful advice
- These sites let you enter a domain and determine if it’s still vulnerable:.
- For a layman’s explanation of how the bug is a problem, XKCD has a descriptive comic about it
If nothing else put Heartbleed OpenSSL into Google and that’s a good start.