There have been numerous accounts in the media of late about a new online security vulnerability that could expose users’ passwords. It has been called the Heartbleed bug. FamilySearch.org has thoroughly examined the software used on our site and its servers, and we can report that we are and always have been safe from this vulnerability. We have never employed the code that can lead to the Heartbleed vulnerability.
Frequently Asked Questions
Q: What is Heartbleed?
A: Heartbleed is a bug that causes a serious vulnerability that could expose a user’s passwords to hackers who take advantage of them. To learn more, go to http://heartbleed.com/
Q: Is my information safe?
A: Yes, FamilySearch did not use the code that was affected, so your passwords and personal information on FamilySearch.org were not available to hackers. However, your information on other websites may have been exposed. Please look for information on those sites to know if you were at risk. Additionally, if you use the same username and password on FamilySearch that you do on other websites, your password may have been exposed on those sites, and we would recommend changing it on FamilySearch.org to be safe.
Q: I ran a heartbleed checker on another site, and it didn’t have information about FamilySearch. Why is that?
A: Some checkers do not return correct results or time out. We have no control over those sites but have double-checked our system, and we have not used the affected code.
Q: I ran a checker and it told me that FamilySearch.org was vulnerable. Why is that? What is the real story?
A: Using a third party tool can lead you to sites where further investigation is warranted, but ultimately it is up to the site to tell the final story. Be careful about using HeartBleed checker websites, since some of them are either compromised or created by hackers looking to infect your computer or steal information. While some tests have incorrectly identified FamilySearch.org as being vulnerable to Heartbleed, our thorough analysis has told us there was never any threat, and FamilySearch.org is completely safe from this bug.
Q: What else should I do?
A: If you use the same password on other websites and on FamilySearch, and one of those others sites may have been compromised, then you should change your password on FamilySearch as well, to be safe. You only need to do this if you are relatively certain the common password was compromised on the other site.