Millions of web users faced internet havoc on Wednesday after security researchers revealed that a newly-discovered bug dubbed “Heartbleed” has made data on many of the world’s major websites vulnerable to theft by hackers.
The bug — which represents one of the most serious global security flaws revealed in recent years — makes it possible for hackers to retrieve code from websites that would give them access to other information, including user data and passwords.
Tumblr, the popular social network owned by Yahoo called on its users to change their passwords, in one of the highest—profile admissions of vulnerability.
“The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr said in a statement on Tuesday.
Since news of the security flaw reached the public domain late on Monday, thousands of websites have been reviewing their servers to see if they were using vulnerable versions a type of software known as OpenSSL.
“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr added.
The Yahoo-owned social network says it has taken action to fix the security flaw, adding that it has no evidence that its user data have in fact been breached by the Heartbleed bug.
Other web giants like Google, Facebook, Twitter and Amazon said their sites were not affected by the flaw which was discovered by researchers at Google and the Finnish security company Codenomicona.
They attributed the flaw to faulty computer code and said that hackers could have been exploiting the vulnerability undetected for as long as two years.
They also warned users that changing their passwords may not be enough to protect them unless the websites they used had also updated their server software to patch the flaw.
“We haven’t detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites,” Facebook said.
But researchers such as Bruce Schneier, chief technology officer of Co3 Systems said over 500,000 website were vulnerable. Another security firm Kaspersky Lab said it had detected dozens of malicious programs that had been developed since news of the bug broke on Monday night, to scan websites for vulnerabilities.
“If you need strong anonymity or privacy you might want to stay away from the Internet entirely for the next few days while things settle,” said Roger Dingledine, the president of the Tor Project, a web service that helps users surf anonymously.