The Heartbleed Internet-security flaw is very bad, but contrary to many media reports, you don't have to run out and change all your passwords now. In some cases, it might be better to wait, or not do it at all.
First, to be clear, you don't need to change any passwords or PINs you use to log into a Windows PC, Mac or mobile device. For the most part, personal computers, smartphones and tablets are not directly affected by Heartbleed.
MORE: Heartbleed: Who Was Affected, What to Do Now
Heartbleed affects Web, email and chat servers by undermining the secure connections they make with you. Not all servers are affected, only those that used certain encryption protocols over the past two years. Most servers running Microsoft software, as well as servers that used other encryption protocols, are unaffected.
Furthermore, although Heartbleed was made public on Monday evening (April 7), some companies got advance warning and patched their vulnerable servers beforehand. Among these were Google, which helped find the flaw, and Facebook. (That doesn't mean they weren't hit before they patched; a Heartbleed attack would have left no trace.)
Most companies got no advance warning, including Yahoo, which scrambled to patch its servers Tuesday even as security researchers found it was easy to see usernames and passwords as users logged into Yahoo Mail.
Because of the complexity of the Heartbleed bug, and the way in which the news got out, there are six categories of websites that were affected in different ways.
The following lists only prominent U.S. websites; for a much more detailed list, see this breakdown of the top 10,000 websites worldwide, compiled Tuesday by former LulzSec hacker Mustafa al-Bassam.
Sites for which you will definitely need to change your password
Yahoo, including Yahoo Mail and any Yahoo Group
Flickr (Yahoo subsidiary)
Tumblr (Yahoo subsidiary)
MORE: Yahoo Mail and Heartbleed: How to Secure Your Account
Sites that have asked users to change their passwords, or are making them do so
Ars Technica
IFTTT.com
Trillian
Sites that were, or may have been, vulnerable to Heartbleed
These sites patched their servers after the public disclosure, and it's safe to change your password on them.
Archive.org
Dropbox
DuckDuckGo
Electronic Frontier Foundation
Etsy
Eventbrite
HideMyAss.com
LastPass
Wordpress.com
Wordpress.org
Wikipedia
Woot
Sites that may still be vulnerable to Heartbleed
Do NOT change your password on any of these sites until they say they have patched their servers. Otherwise, attackers could capture your new password as well.
The Atlantic
Breitbart.com
The Economist
Imgur
IndieGoGo
Netflix
OK Cupid
Outbrain
Rolling Stone
Stack Overflow
Sites that patched their servers before the Heartbleed disclosure
These sites are at minimal risk, but were nevertheless vulnerable over the past two years while the Heartbleed flaw existed undetected. It wouldn't hurt to change your password on these — and to activate two-step verification on them, and on Yahoo too.
Blogger/Blogspot (Google subsidiary)
Google, including Gmail
Instagram (Facebook subsidiary)
YouTube (Google subsidiary)
MORE: How to Turn On Two-Step Verification
Sites that were never affected by Heartbleed and on which you don't have to change your password
AOL
Apple
Ask.com
Bank of America
Buzzfeed
Capital One
Chase
CNET
Craigslist
eBay
ESPN
Evernote
GoDaddy
Hotmail
HSBC
Huffington Post
Intuit
Live.com
Microsoft
MSN
Newegg
The New York Times
PayPal
Salesforce
Target
TD Bank
The Wall Street Journal
Wells Fargo
Zillow
Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.
- Best Android Antivirus Software 2014
- Aviator Brings Secure Private Browsing to Windows
- Best Online Password Managers 2014
