Heartbleed and Oh Shit - this is important to everyone.
So, as of less than 24 hours ago, this is a thing:
This is exceedingly important - about 66% of the web uses openssl.
Now, correct me if I'm wrong (I don't want to fearmonger), but this effectively means if you have ever signed on to a secure website (https, not http... or, in fact, if you've ever passed info over TLS), there is about a 66% chance that this vulnerability existed on that server. And since it's been around for A FEW versions of openssl (1.0.1 was released March 14, 2012 according to my server), it's likely a couple folks have been heartbleeding servers for a long time.
So... your passwords? There is an EXTREMELY good chance that many of your passwords have been leaked in plaintext. Not to mention any security questions - basically anything you've ever typed into a secure webform since this heartbleed bug went into effect is very suspect. A cursory google search suggests steam has been affected by this (though I didn't read any of the posts, just the headlines).
What this means for you right now is a lot, but the consequences may not appear until down the line:
- Any of your passwords that were scooped up by a heartbleeding eavesdropper are now likely part of a dictionary (not Websters', the kind used just before brute-force cracking).
- The next time a big corporation (i.e. target) loses their customer's hashed password table, someone's going to attempt to test all known passwords using those dictionaries.
Ergo, next time there's a big corporation hack, your shit will be out in the open within the day.
I would give it about three days - I figure in at MOST three days, every important secure server will have patched openssl (most of them have already done so, I hope). At that point, I'm going to change every password on every website I know of. I would urge you to do the same.
If someone who knows more about security than I do can debunk this, PLEASE do so. I don't want to stir shit up because I understood things wrong.
EDIT: Fixed the date of openssl 1.0.1
ANOTHER EDIT: If you've put any personal info into a secured server at all in the last 24 hours, you're pinning your hopes and dreams on the server admin having updated openssl. It's a safe bet that now that people know the heartbleed bug is available, they're using it anywhere they can in the hopes that a server admin is slow. Don't login, don't logout, just don't do anything that will pass authentication information anywhere for a little bit.
Also, silver (ish) lining... Since this has been out for three years, it's likely that if you weren't hacked in one of the myriad number of security fiascos in the last few years, your stuff wasn't leaked (this bug probably wasn't too well-known until recently). Of course, saying 'I haven't been hacked yet, so my info probably wasn't lifted' is a big bag of security through obscurity... and we all know how that goes down. Change your shit.
tl;dr Wait a few days and change every web password and security question you've ever had. Also, get a password manager.