A major flaw in one of the Internet's chief security methods has exposed users' confidential information to hackers for the last two years, security researchers revealed Monday night. The "Heartbleed" bug affects the OpenSSL security protocol used by some two-thirds of websites to protect sensitive data as it moves back and forth. Major websites are scrambling to fix the problem (Yahoo did so yesterday), reports the BBC, but experts suggest users change their passwords as soon as they are sure the sites they use are secure—or even avoid the Internet for a few days. "I would change every password everywhere," one tells the AP.
The bug (which a cryptographer describes as the "result of a relatively mundane coding error") allows hackers to pull 64k of memory, at random, from a server—and since the attacks leave no trace, hackers can "go fishing" over and over again for sensitive data like passwords and bank details, the Verge explains. It's not clear how widely the bug was exploited, but the security hole means the "little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit," the security team at Tumblr wrote in a blog post. For now, users should make sure to log out when they finish using a website, the chief of content delivery network Cloudflare tells the Huffington Post, adding that the bug "is so serious—it's such a big, bad event—that almost every major service is scrambling to clean it up as quickly as possible" and most major sites should be patched by the end of the week. More on how to protect yourself here. (Read more Heartbleed stories.)