The Heartbleed bug is causing major problems for people.  There’s been loads of press coverage about the bug, its impact, and the fact that people have to immediately change their passwords for affected websites.  What’s been harder to find, however, is which websites have been affected so people know which passwords to change.

Jose Pagliery published a very helpful article providing just this type of information (“Change these passwords right now”; money.cnn.com; April 11th).  In his article, Mr. Pagliery provides three categories of companies that responded to date to CNN’s questions about their respective websites.  He lists companies who’ve patched their websites; those that didn’t need to do so; and finally, companies from whom he and CNN have not yet heard.

The four companies who’ve reported patching their websites are: Google, YouTube and Gmail; Facebook; Yahoo, Yahoo Mail, Tumblr, Flickr; OKCupid; and Wikipedia.  Mr. Pagilery writes that people can now change passwords for these sites.

The even better news Mr. Pagliery includes is the longer list of  20 companies who either don’t use the affected software or use a different version of it.  To date, this category includes:

  • Financial institutions: Bank of America, Capital One, Chase, Citibank, HSB, PNC, U.S. Bank, Wells Fargo, E*Trade , Charles Schwab, Fidelity,Scottrade, TD Ameritrade; Vanguard and PayPal;
  • Social media: LinkedIn and Twitter;
  • Microsoft including Hotmail and Outlook;
  • Amazon;
  • AOL and Mapquest.

Mr. Pagliery lists a third category of companies from whom he and CNN have not yet heard.  He lists those companies under the heading “Don’t change these passwords yet (still unclear, no response)”.  Those companies are: American Express; Apple, iCloud and iTunes; and Healthcare.gov.

More companies need to start alerting their customers about whether their websites were affected; whether they’ve been patched; and whether customers can safely change their passwords.  I’ve gotten emails from several of the companies I use saying that they don’t use the affected software.  I’m glad to be getting those emails but wish more companies were being that pro-active.