A newly discovered bug in software supposed to provide extra protection for thousands of the world’s most popular websites has exposed highly sensitive information such as credit card numbers, usernames, and passwords, security researchers said.
The discovery of the bug, known as Heartbleed, has caused several websites to advise their users to change their passwords.
“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr wrote in a note to its many users.
“The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.”
Yahoo, the owner of Tumblr, confirms that its users’ passwords have been compromised.
The bug was discovered late last week in the OpenSSL technology that runs encryption for two-thirds of the Internet. The researchers who discovered it said that most Internet users “are likely to be affected either directly or indirectly.”
It was found simultaneously by a Google security researcher and a small security firm named Codenomicon and disclosed Monday night.
Experts are now scrambling to asses the extent of the security breach, because the bug remained undiscovered for two years. Hackers may have exploited it without leaving footprints.
“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace,” Codenomicon wrote on their newly created website about the bug.
According to several security experts, it is one of the most serious security flaws uncovered in many years.
“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it,” Jonathan Sander, vice president of research and technology for Stealthbits Technologies, a cybersecurity firm, told the Los Angeles Times.
The U.S. government’s Department of Homeland Security has advised all businesses using the vulnerable versions of the software to review their servers.
- Exclusive: The Making of the U.S. Military's New Stealth Bomber
- Your Next House Could Be Made on an Assembly Line
- The Legal Implications of the Debate Over Whether 'Extreme Racism' Is a Mental Illness
- Why European Countries Are Giving Teens Free Money To Spend on Books, Music, and Theater
- Republican Skepticism of Trump Has Never Been Higher
- Column: The U.S. Prison System Doesn't Value True Justice
- How Green Is the Qatar World Cup’s Outdoor AC?
- 16 Funny and Whimsical White Elephant Gifts Under $25
- The 5 Best New TV Shows Our Critic Watched in November 2022