HeartBleed - known vulnerable sites

Version 8

    The list of websites potentially vulnerable to HeartBleed is huge - OpenSSL is used in the widely used Apache and Nginx server software.

     

    Many are relatively unimportant, low-traffic sites; others are more important. This list is constantly changing, as sysadmins take the necessary corrective measures. However, a vulnerable site could potentially have been leaking information for up to two years, so if you have used any of these sites for secure transactions you should take at least the minimum precaution of changing any password you have been using on that site.

     

    There are some testing tools available to check a site for vulnerabilities. The one I have been using is http://filippo.io/Heartbleed/

    If there any others which are known to be reliable (and safe) please put a link to them via the comments; use the comments also if you find any more sites vulnerable to Heartbleed.

     

    THE LIST SO FAR

     

    (From https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt )

     

    Testing addthis.com...  vulnerable.

    Testing flickr.com...  vulnerable.

    Testing hidemyass.com...  vulnerable.               A spokesman says their users "are not affected". Note the present tense.

    Testing kickass.to...  vulnerable.

    Testing redtube.com...  vulnerable.

    Testing slate.com...  vulnerable.

    Testing stackexchange.com...  vulnerable.

    Testing stackoverflow.com...  vulnerable.

    Testing steamcommunity.com...  vulnerable.

    Testing yahoo.com...  vulnerable.

     

     

    Testing sogou.com...  vulnerable.

    Testing adf.ly...  vulnerable.

    Testing outbrain.com...  vulnerable.

    Testing archive.org...  vulnerable.

     

     

    Testing popads.net...  vulnerable.

    Testing avito.ru...  vulnerable.

    Testing kaskus.co.id...  vulnerable.

    Testing web.de...  vulnerable.

    Testing suning.com...  vulnerable.

    Testing zeobit.com...  vulnerable.

    Testing beeg.com...  vulnerable.

    Testing seznam.cz...  vulnerable.

    Testing okcupid.com...  vulnerable.

    Testing pch.com...  vulnerable.

    Testing xda-developers.com...  vulnerable.

    Testing scoop.it...  vulnerable.

    Testing 123rf.com...  vulnerable.

    Testing m-w.com...  vulnerable.

    Testing dreamstime.com...  vulnerable.

    Testing amung.us...  vulnerable.

    Testing eventbrite.com...  vulnerable.

    Testing wetransfer.com...  vulnerable.

    Testing sh.st...  vulnerable.

    Testing entrepreneur.com...  vulnerable.

    Testing zoho.com...  vulnerable.

    Testing yts.re...  vulnerable.

    Testing usmagazine.com...  vulnerable.

    Testing picmonkey.com...  vulnerable.

    Testing petflow.com...  vulnerable.

    Testing squidoo.com...  vulnerable.

    Testing avazutracking.net...  vulnerable.

    Testing elegantthemes.com...  vulnerable.

    Testing 500px.com...  vulnerable.

    Testing leo.org...  vulnerable.

    Testing fool.com...  vulnerable.

    Testing digitalpoint.com...  vulnerable.

     

     

    usgs.gov - Vulnerable                           False positive

     

     

    Vulnerable, now fixed (but change any passwords used here)

    See http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

     

    • Amazon Web Services
    • Dropbox
    • Facebook                                 Allegedly. Facebook says they "are unaffected" which leaves open the question of if they were previously.
    • Google                                     Google fixed their servers before anyone else knew about this, but they were vulnerable before that.
    • Gmail                                       See above.
    • GoDaddy
    • LastPass
    • Minecraft
    • Pinterest
    • Steam                                    To be confirmed
    • Wordpress.com
    • Yahoo Mail