Internet Users Failing to Protect Themselves From Heartbleed

New data from Pew indicates that while many have heard of Heartbleed, less than half of those Internet users have taken steps to protect themselves.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

The Heartbleed security vulnerability that was first disclosed in early April has dominated technology security headlines in recent weeks, but that doesn't mean that all Internet users have actually taken steps to protect themselves. A new study published on April 30 by the Pew Research Center reveals that less than half of the Internet users who were aware of the Heartbleed took steps to protect themselves.

The Heartbleed security flaw was first revealed on April 7 by the open-source OpenSSL project. OpenSSL is an open-source cryptographic library that provides Secure Sockets Layer (SSL) encryption for data in transport. The Heartbleed flaw is technically identified as CVE-2014-0160 and called "TLS heartbeat read overrun" and could enable an attacker to get access to information that is supposed to be encrypted with SSL.

OpenSSL is widely used on servers and embedded devices including mobile phones, giving the Heartbleed vulnerability significant global impact. According to the Pew study of 1,501 American adults surveyed between April 23-27, 64 percent of surveyed Internet users had heard about the Heartbleed flaw.

Of those respondents who were aware of the Heartbleed flaw, only 39 percent actually took steps to protect themselves. Those steps include changing passwords and avoiding potentially vulnerable online services.

Looking deeper into the demographics of those who changed their passwords in response to Heartbleed, Pew found that there was a disparity across income levels. For American households with incomes of less than $30,000, only 33 percent had changed passwords. In contrast, 46 percent of American households earning $75,000 or more changed passwords in response to Heartbleed.

From a risk perspective, only 29 percent of those who were aware of Heartbleed actually believed that their information was somehow at risk from Heartbleed. Only 6 percent noted that they believed that personal information was actually stolen as a result of Heartbleed.

Public reports of actual exploitation from Heartbleed have in fact been somewhat limited. The Canada Revenue Agency (CRA), which is the Canadian equivalent of the U.S. Internal Revenue Service (IRS), reported that it was exploited by Heartbleed, with approximately 900 Canadian taxpayers being impacted.

Security firm FireEye has reported that one of its customers was attacked by Heartbleed by way of virtual private network (VPN) technology. FireEye has also alleged that as many as 150 million Google Android app downloads are at risk from Heartbleed.

Although Heartbleed has been a concern for Internet security, Pew also found that overall, 69 percent of Internet users see their online information as being generally secure.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.