Over 300,000 servers are still vulnerable to Heartbleed

Over 300,000 servers out of the 600,000 that were vulnerable to Heartbleed are still unpatched two months after the nasty vulnerability in OpenSSL was discovered by a Google engineer. The numbers were announced by security researcher Robert David Graham who found that although half of the 600,00 servers were patched a month after Heartbleed was discovered, only about 9,000 were patched in the last month. It’s safe to assume that most of the bigger sites have been patched. But the fact that more than half the servers haven’t bothered to implement the fix should give you cause for concern. Heartbleed, after all, was little more than a dumb coding mistake that could easily be exploited by hackers to get all sorts of sensitive information like usernames, passwords, encryption keys and more from websites.

Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn’t make the news much anymore, but that doesn’t mean the problem’s solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That’s cause for concern, because it means that smaller sites aren’t making the effort to implement a fix. Considering the numbers, it’s likely that the lightly-trod corners of the internet will remain vulnerable for many years to come, as sites with sub-par security standards continue to leave themselves — and their users — exposed. The danger is particularly real now since the exploit has been widely publicized. The bug, which affects the OpenSSL protocol used widely online, can cause some serious damage — it can be exploited to give hackers encryption keys, passwords, and other sensitive information.