Ask HN: Heartbleed password reset emails: do I *really* need to change them?

5 points

12 years ago

My understanding of heartbleed is slight, yes, so I could have this wrong: "Heartbleed allows the attacker to view other sessions' information stored in memory." Is that correct?

Assuming that is correct (of which I'm only 75% sure about), why the over-reaction from websites that are proactively changing their entire user bases' passwords? For example, Soundcloud just (a) logged everyone out, and (b) suggested every user change their password: http://blog.soundcloud.com/tag/heartbleed/. SC isn't alone - I've received emails from other large organizations as well.

This seems like a huge over-reach. I haven't logged in to Soundcloud in probably 3-4 months. Is this over-reaction on their part, misunderstanding on my part of what the vuln exposes, or has it been going on for months/years and the sites are only now realizing it?

1 comment