A glitch in software meant to encrypt and protect online transactions has potentially exposed millions of passwords, credit card numbers and other sensitive bits of information to potential theft by computer hackers.
Security researchers at Google and Internet security firm Codenomicon revealed the breakdown, known as "Heartbleed", on Tuesday. The glitch was in a vulnerable version of software known as OpenSSL.
OpenSSL software is meant to protect online accounts for emails, instant messaging and a wide range of electronic commerce.
Heartbleed is of particular concern because it went undetected for more than two years, making it difficult for people to know if they’ve been compromised. Security researchers are advising people to consider changing their online passwords.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” according to the website Heartbleed.com
, which was set up by Codenomicon. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.”
Codenomicon said it had tested its own services “from an attacker’s perspective" and successfully stolen “usernames and passwords, instant messages, emails and business critical documents” all “without leaving a trace.”
The discovery of the bug prompted the U.S. Department of Homeland Security to issue a warning computer users and systems administrators to see whether they’re using OpenSSL.
Codenomicon is advising service providers and users to “install the fix as it becomes available for the operating systems, networked appliances and software they use.”
Experts say Heartbleed is serious and of concern to all Internet users, but that before changing passwords, check to see that the bug has been patched.
"Many are calling for an immediate change to passwords - a call to action I fully endorse with one caveat," said Christopher Burgess, CEO of Prevendra, Inc., an Internet security firm. "If the entity with whom you are about to change your password has not updated their SSL, you are changing your password into an insecure environment. I advocate checking for the update from your vendor - once they confirm, then change the password to a strong password."
Burgess added that it's important to remember that the problem isn't on your device or machine, but rather on the servers supporting websites we visit each day.
You can check if a website has updated its servers by visiting this Heartbleed testing site