Credit Unions Issue an ‘All Clear’ on Heartbleed Bug, but Urge Members to ‘Change Your Passwords’

It’s being called one of the biggest security threats the Internet has ever seen, and some of the most popular sites on the Web — from Facebook and Gmail to Pinterest, Netflix and Minecraft — are telling their users that passwords and other account information may have been compromised. But Northwest credit unions moved quickly last week to assure their members that their online and mobile banking services are — and have always been — safe from the Heartbleed bug.

Many of those credit unions pointed members to websites where they could get more information about Heartbleed or to online tools they could use to determine if frequently used sites were vulnerable. And still others used the opportunity to share some good advice.

“Please be assured that Puget Sound Federal Credit Union software vendors have tested all systems to ensure all transactions are safe from this attack,” the credit union told members on its website and through social media. “That said, it is also a really good practice to change your passwords on some regular interval when using any kind of online activity with a financial institution. Now would be a good time to make that change for extra security and peace of mind.”

“Change your passwords” seemed to be the most common advice in the days following the announcement that a flaw in the Open Secure Socket Layer (OpenSSL) technology used to establish secure links between servers and users may have exposed millions of user names, passwords and other personal and financial information. Undetected for more than two years, the Heartbleed bug could have affected two-thirds of the world’s encrypted websites. 

Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. Facebook said it had added protections before the issue was disclosed to the public, for example; Instagram, Pinterest and YouTube said they also addressed the issue quickly, as did Google, Yahoo, Netflix and Flickr. (For a more complete list, go to

But companies like the gaming website Minecraft told users that even though the problem had been fixed, “We cannot guarantee that your information wasn’t compromised.” And every website urged users to change their passwords now — and often.

“We are not aware of any customer impact,” Netflix told its movie-watching subscribers. “But it’s a good practice to change passwords from time to time, and now would be a good time to think about doing so.”

That message was repeated often by Northwest credit unions, even as their own providers were assuring them that systems were not affected. The Northwest Credit Union Association issued a Compliance Bulletin immediately after learning of the Heartbleed bug; on Friday, the Association updated its website with news that the Compliance Answer Library and League InfoSight systems also were safe.

CUNA Mutual Group issued a Risk Alert to its bond policyholders, urging credit unions to take immediate steps to identify all critical systems that might have been impacted by the security flaw. Washington’s Department of Financial Institutions also urged due diligence in a letter to credit unions and said that it was verifying that all had installed security patches as needed. By midweek, it appeared that most in the Northwest had done so, with Advantis Credit Union, First Tech Federal Credit Union, iQ Credit Union, Northwest Community Credit Union, Seattle Metropolitan Credit Union, TLC Federal Credit Union,  SECU, STCU, WSECU and others issuing an “all clear.”

“Our service providers do not use the web encryption technology that is targeted, and third parties have confirmed the safety and soundness of their services,” Newrizons Federal Credit Union told its members. “Know that your money and information is safe.”

Several credit unions provided links to additional information:

  • TwinStar Credit Union pointed members to
  • Rogue Credit Union sent members to, where they could find tools to make sure other websites they use weren’t vulnerable.
  • Lacamas Community Credit Union connected members to information on its own website, where they could find tips for protecting personal information. So did Central Willamette Community Credit Union. And so did Unitus Community Credit Union, which offered members videos on how to protect online accounts and other security issues.

But no matter how they shared the information, Northwest credit unions all beat the same drum: Change your passwords, Pacific Cascade Federal Credit Union said. Change you passwords, Red Canoe Credit Union said. Change your passwords, BECU said.

“BECU doesn’t use OpenSSL software for or, so your information is not at risk,” the credit union assured members. “While it is not mandatory that you reset your Online Banking password, we always recommend that it is a good practice to change your password at all of your password-protected sites at least once every 90 days.”

And then BECU repeated what members of credit unions across the Northwest no doubt already knew: “As always, member account security is a top priority … and we are monitoring the situation closely.”

Questions about this story? Contact Gary M. Stein: 503.350.2216,

Posted in Article Post.