Do you spend a lot of time online? If so, it’s time to change your passwords.

Internet security experts in Maine said a pervasive security flaw in Web servers used by major websites such as Facebook, Gmail, Yahoo and Instagram could have allowed hackers to steal sensitive information about users including their account names and passwords.

A patch was released Monday to fix the problem, they said, but it is important for consumers to change as soon as possible any passwords they have used on vulnerable sites over the past two years.

“Update your password, and make sure the provider has updated the patch to this thing,” said Daniel Eosco, president of Bath-based Maine Hosting Solutions.

It is also important for users of social media services to update their Facebook, Twitter, Instagram, Tumblr and other passwords, security experts said.

As of Wednesday, most major online retailers, social media services, email providers and others had reported that they updated their systems to eliminate the security hole. Most banks and e-commerce sites such as those operated by Amazon, Target, eBay, Walmart and PayPal were not affected, the companies said.


The bug has been dubbed Heartbleed by the Finnish security firm that discovered it, because it allows hackers to exploit a vulnerability in a messaging service called Heartbeat, used by many online hosting services as part of their encryption systems to protect sensitive data.

The security firm, Codenomicon, has a website that features answers to common questions about Heartbleed at

The Heartbeat service interacts with OpenSSL, an open-source encryption technology used to protect sensitive data in an estimated two-thirds of all web servers around the world.

However, only about 17 percent of servers running OpenSSL were using the vulnerable Heartbeat service, according to online security firm Netcraft. Still, that left more than 500,000 servers vulnerable worldwide, Netcraft said in a blog post Wednesday.

Technology collaboration website GitHub tested the top 10,000 most visited e-commerce sites for vulnerabilities to Heartbleed and reported that Maine-based Barclaycard, which manages the L.L.Bean Visa card among others, remained vulnerable to attack as of Tuesday.

An updated test showed that Barclaycard appeared to have applied the security patch as of Wednesday.


L.L.Bean spokeswoman Carolyn Beem said the L.L.Bean e-commerce site itself was not vulnerable to the Heartbleed security flaw, so customers do not need to update their passwords.

“The systems that process customer information do not use the vulnerable OpenSSL software,” Beem said. “There has been no evidence of compromise as a result of this event.”

Amy Landry, spokeswoman for Portland-based online health records provider HealthInfoNet, said the company was not affected by Heartbleed because it does not use the type of servers that were vulnerable to the security flaw.

“We haven’t had any impact here,” Landry said.

Consumers can identify websites that use OpenSSL by a padlock icon that appears in the address bar of their Web browser when they access a secured page.

The vulnerability allows hackers to steal the most recently processed data from Web servers and even impersonate websites that use OpenSSL to steal other information such as credit card numbers.


Eosco said most Web-hosting companies applied the patch automatically Monday, including his own.

However, he stressed that online shoppers should err on the side of caution if they don’t know for sure whether a website they use was vulnerable to attack.

“If you’ve got a password, change it,” he said.

J. Craig Anderson can be contacted at 207-791-6390 or:

Twitter: jcraiganderson

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.