The "Heartbleed" security bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping, say researchers.
The bug is in a software library used in servers, operating systems and email and instant messaging systems and reportedly affects nearly two-thirds of all websites, including Yahoo Mail, OKCupid, WeTransfer, and others.
It takes advantage of a vulnerability in OpenSSL, an open-source protocol used to encrypt vast portions of the web. It allows cybercrooks to steal encryption keys, usernames and passwords, financial data and other sensitive data they have no right to.
Called OpenSSL the software is supposed to protect sensitive data as it travels back and forth.
It is not clear how widespread exploitation of the bug has been because attacks leave no trace.
"If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle," said a blog entry about the bug published by the Tor Project which produces software that helps people avoid scrutiny of their browsing habits.