Your Favorite Websites Could Have Warned You About Heartbleed, But Didn't

Our favorite websites follow our every click and swipe, but when news of the Heartbleed bug broke last week, many of them left us to figure out the dangers for ourselves: More than a week after the discovery of one of the biggest security flaws in Internet history, many popular websites have still not reached out to their customers to explain whether they are at risk.

Several companies told The Huffington Post they did not email users because their sites were not affected. Some may still not know for sure. But many websites never directly passed that information on to their customers, who have been forced to investigate on their own by scouring the Web for company blog posts, tweets or statements amid a deluge of sometimes-conflicting media reports.

Last week, researchers disclosed a bug in a widely used security software that allowed hackers to steal passwords, credit card data or Social Security numbers from two-thirds of all websites, as well as home routers, millions of smartphones running older Android operating systems, and other Internet-connected devices.

The news created widespread confusion partly because some experts advised people to change their passwords immediately, while others advised them to wait until the affected companies had fixed the vulnerability in their websites.

“Because users have no easy way of knowing if a company was affected, if it's applied the fix, or whether or not it's generated new certificates, I would say that the onus is on the companies to keep their users apprised of what exactly is going on,” said Jeremy Gillula, a staff technologist at the Electronic Frontier Foundation.

Some companies made efforts to communicate directly with their users. The social media site Pinterest, for example, emailed its users about the Heartbleed bug and recommended they change passwords.

But not all companies went that far, prompting some third-party services and media outlets to try to alleviate the confusion.

Mashable, a technology site, created a popular "Heartbleed Hitlist" detailing which companies have been affected, whether they've fixed the bug and whether users should change their passwords. The security company LastPass created an online tool to help people find out if a website was vulnerable to the Heartbleed bug.

"But the onus shouldn't be on the average user to find and use those services,” Gillula said.

Several companies told HuffPost they did not directly communicate with their customers because there was no evidence their data was stolen.

"We didn't communicate proactively to customers, but provided information on a reactive basis," Netflix spokesman Joris Evers said, adding that the company addressed the vulnerability and had not noticed any effect on customer data.

"We see changing passwords as something somebody could do out of precaution; it is not a requirement," Evers said.

But security experts say companies may not realize that hackers have stolen data because an attacker could exploit the Heartbleed bug and not leave a trace. And even if a company was not affected, some customers said they were seeking peace of mind from the companies to which they've entrusted their information.

Several users of Dropbox, the cloud storage company, expressed frustration in the comments section of a company blog post that explained how its security team had patched its systems running the vulnerable software.

“I'm confused, do we need to change our Dropbox passwords? Maybe official communication via email would be more helpful? I stumbled upon this post while looking for other info," Dropbox user Ben S. wrote.

“I also appreciate the update, but given the seriousness and popularity of this bug, shouldn't we all be receiving an email message about it?” another Dropbox user, Eventus P., wrote.

Dropbox spokesman Brandon Borrman said the company sent two tweets from its Twitter account that pointed to the blog post. He added that the company responded to customers' questions via Twitter, but did not email users directly.

The Heartbleed bug exposed passwords, emails and other confidential data belonging to people using Yahoo Mail, according to the technology site Ars Technica.

A Yahoo spokesperson declined to answer questions from HuffPost about whether the company had directly notified Yahoo Mail users about the risks of the bug and what action those users should take to protect themselves.

In a statement, a company spokesperson said Yahoo “has successfully made the appropriate corrections across our entire platform” for the bug, and recommended that users “consider updating their password.”

Google spokeswoman Dorothy Chou also declined to answer questions about whether the company directly notified users about the Heartbleed bug.

"The security of our users' information is a top priority," Chou told HuffPost. "We fixed this bug early, and Google users do not need to change their passwords."

But some Google users still wanted an official explanation on what they should do to protect themselves.

“A recent ABC News article quotes an email from Google saying that users do not need to change their passwords,” Adam Condron wrote in the comments section of Google’s security blog on the Heartbleed bug. “Is that Google's official word on the matter? I've had a hard time finding an official statement on your site.”

Chester Wisniewski, a security expert at Sophos, which develops and sells security software and hardware, told HuffPost that some companies may still be investigating whether their services were affected.

“Very few companies have done any notification yet, I can’t really be sure why,” Wisniewski said.

He said companies should be reaching out to their customers directly, whether their services were affected by the Heartbleed bug or not.

“Alert your users, inform them of the risk and suggest they take action to better secure their accounts," he said.