Internet users are being urged to change all their online passwords after the discovery of a major security flaw which has leaked into half a million websites.
The Yahoo blogging platform Tumblr has advised the public to “change your passwords everywhere – especially your high-security services like email, file storage and banking”.
The Heartbleed Bug has compromised software called OpenSSL – a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
An indicator that a website uses OpenSSL is usually in the form of a padlock icon in the address bar on web browsers – although this can also be triggered by rival products.
Google Security and Codenomicon – a Finnish security company – revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.
They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail – unless the hackers published their haul online.
However, experts stress that they have no evidence of cybercriminals having harvested the passwords and that users should check which services have fixed the flaw before changing their login.
“If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested,” said Ari Takanen, Codenomicon’s chief technology officer.
“In that sense it’s a good idea to change the passwords on all the updated web portals.”
Other security experts have been shocked by the revelation
“Catastrophic is the right word. On the scale of one to 10, this is an 11,” blogged Bruce Schneier.
The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.