One year after the massive security flaw, Heartbleed, was revealed to the public, a new study found that up to 74 percent of companies in the Global 2000 are still vulnerable to being hacked via the bug.
The flaw grabbed widespread media attention when it was revealed in 2014, and made countless businesses scramble to fix their servers. But a study released this week by Venafi, a Salt Lake City, Utah-based cybersecurity firm, shows those efforts were not always enough.
Cybercriminals can still exploit the vulnerability to gain usernames and passwords as well as sensitive business and financial data, the study found.
"Heartbleed is still prevalent," said Josh Abraham, vice president of services at Austin Texas- headquartered Praetorian, a cybersecurity company that helps organizations minimize risk. Heartbleed affects OpenSSL, a software which allows websites to communicate information securely over the Internet.
Venafi compared historical vulnerability scans for Global 2000 business over the past year and found that 1,223 companies in the Global 2000 were still potentially vulnerable to the virus. In addition, from August 2014 to April 2015, the scans found only 2 percent more companies (from 387 companies to 419 companies) had completed their Heartbleed fixes.
A separate study by researchers from Northeastern University, Stanford University and University of Maryland released in November also found that more needed to be done by businesses to fix the Heartbleed vulnerability.
In order to fix Heartbleed fully, companies need either to patch or install updated software to their servers, and then change their SSL certificates and private keys, according to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. (An SSL certificate is a small data file that encrypts data sent over the Internet to keep it secure, and a private key is used to decrypt the data.)
Even once the updated software is installed, companies could be still vulnerable if hackers were able to access the SSL certificate and private key before the vulnerability was fixed.
Another danger of the stolen SSL certificates and private keys is that websites can be spoofed, according to Bocek. Hackers can use the information gained from the Heartbleed vulnerability to set up fake websites that appear to consumers to be real.
"[Full remediation] is taking more time because it's slow to do," said Bocek.
The full dangers of Heartbleed are unknown. While well-known companies have had sensitive information stolen, sometimes in high-profile attacks, determining that a breach was caused specifically by Heartbleed is difficult, said Praetorian's Abraham.
The larger lesson is that businesses need to be better at updating their servers, say cybersecurity experts
"Unfortunately, Heartbleed was just one example of a vulnerability that needs patching and remediation as soon as possible…organizations that don't manage vulnerabilities will fall victim to trivial attacks," said Erik Heidt, a research director for Gartner, a Stamford, Connecticut-based technology research and advisory company.