topic Re: OpenSSL in Discussions & Feedback

OpenSSL

Anonymous — Sat, 12 Apr 2014 20:06:15 GMT

Are o2 able to confirm that the Community website, the mobile o2 app and the o2.co.uk website are secure so that those who want to can change their passwords as recommended? ?

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:16:46 GMT

Some systems were affected by the heartbleed bug, however they've since been patched and the issue resolved. In any situation like this, it's recommended that you reset your passwords.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:18:24 GMT

Hi Kyle

Do you mean some o2 systems or some systems from other companies? My question was specifically directed towards o2 sites please

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:22:27 GMT

Yes, some O2 systems were affected.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:24:59 GMT

Thank you very much KyleB. Much appreciated.

I can now go forward and reset my passwords.

Thanks again 😃

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:35:23 GMT

So O2 systems were affected and O2 doesn't think to warn its customers??

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:44:14 GMT

Not many companies have @damien1.

I rang my back yesterday but they confirmed they weren't affected (first direct / hsbc) but I believe other banks may have been.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:48:03 GMT

When I log on to my bank it tells me all about the threat and then says they are not affected I think O2 should have told their customers

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:50:05 GMT

I think ALL companies should be talking to their customers and advising them as appropriate.

Re: OpenSSL

anticpated — Sat, 12 Apr 2014 20:51:14 GMT

You should change passwords on a random basis whenever possible. Not when the press suggests anyway.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:52:42 GMT

Surely customers should be warned about something as serious as this? I don't just mean O2 either, the only mention I've seen of it is on the Nationwide app which confirms they haven't been affected.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:54:40 GMT

All affected systems were patched pronto, and there is no reason to believe that any data has been compromised. If you asked directly you would have got an answer, I suppose the company didn't want to potentially scare many users when there seems to be no immediate risk.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:56:41 GMT

To be honest Kyle yes I agree a company like o2 would have moved quickly but this issue has apparently been known for up to 2 years so we don't know if or data or our passwords are protected or not

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 20:58:44 GMT

And of course not all companies have completed the upgrade yet so the Internet security experts are saying not to update passwords until the company you are dealing with have confirmed they have upgrade / closed the issue.

Re: OpenSSL

jonsie — Sat, 12 Apr 2014 21:00:04 GMT

I have painstakingly been changing passwords all day but rest assured another 'leak' will occur again in the near future. Best option as suggested is to change passwords regularly. I do agree that all the large national companies should be displaying warning notices on their landing page.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 21:03:31 GMT

I will be changing those passwords for those companies I have spoken to tomorrow.

Companies don't help themselves as by nor telling people then what do we do? Phone up.

Re: OpenSSL

anticpated — Sat, 12 Apr 2014 21:16:08 GMT

The thing is though, everyone knows and the expected action of potential hackers is they will monitor the data packets and even if you do change your password when the patch is not in place, then potentially your details are still are not secure as they should be.

I haven't changed any passwords yet.

Another risk is XSS (Cross Side Scripting) where your data is retransmitted to a 3rd party website/server without you being aware of it. NoScript for Firefox is a good way to keep tab of that.

Anyway it's not like there isn't already to contend with.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 21:20:48 GMT

Glad to see many share my thoughts that large companies should be telling their customers there is no reason why O2 couldn't have put a message on the sign in page even if there was no problem

Re: OpenSSL

Bambino — Sat, 12 Apr 2014 21:27:53 GMT

Both Google and Yahoo were affected and have now patched. They never posted any notification of a problem, so it's not surprising that O2 didn't either.

Re: OpenSSL

Anonymous — Sat, 12 Apr 2014 22:27:06 GMT

Very true Bambino but I would have to add that their absence doesn't make it right. .... 😈