Apr 10, 2014 10:59 AM by NBC News
A serious security flaw called "Heartbleed" could expose credit card numbers, passwords and other personal data for users of popular online services -- but there's not a lot consumers can do until the sites fix the problem on their end.
"Heartbleed" is a serious bug in the OpenSSL software that many, many sites use to encrypt and transmit data. The flaw allows potential attackers to see anything that's stored in the memory of a site's web server -- including both personal data and the encryption keys for a server, which can be used to impersonate the server and grab even more information.
An estimated 60 to 70 percent of the world's web servers use OpenSSL, making Heartbleed -- a name given by researchers who discovered the bug and published information about it on Monday -- a problem for much of the Internet. What's worse, the flaw has reportedly existed for nearly two years.
Unfortunately, consumers can't do much as websites scramble to update their OpenSSL software with a fix that was issued on Monday.
"You can run to update your password everywhere, but it won't do any good on the sites that haven't pushed out a fix yet," Josh Abraham, director of professional services for security firm Praetorian, told NBCNews.
Companies including Google, Amazon, Yahoo, Tumblr and Facebook said they have investigated the issue and are working to update their sites. But the fix could be slower for small businesses who use OpenSSL -- and entering a new password into a potentially compromised site could do more harm than help.
Once a site has confirmed it has fixed the flaw, Abraham said, people should change their passwords immediately.
"It's a reminder that changing passwords early and often is a good practice," he added.
That may be cold comfort for customers worried about their data all over the web, but cybersecurity experts said the Heartbleed threat isn't as great as more targeted attacks.
"With Heartbleed, the information running through server memory is random -- it's whatever was recently stored at that time," Dave Chronister, managing partner of Parameter Security, told NBCNews. "This isn't a keylogger installed on your personal machine to find out your particular information."
Still, Heartbleed serves as a reminder of the fallibility of technology, he added.
"Just because they say it's encrypted and strong by design, problems still happen," Chronister said. "It should show companies that if you don't really, really need information like clients' social security numbers, don't collect them."
Chronister also pointed out that we may never know who, if anyone, was affected by the Heartbleed bug. An attacker who exploited the flaw would leave no trace.
"This flaw affected a lot more people because OpenSSL is so widely used, but for every one of these that makes the news, there are a lot that don't," Chronister said. "[Heartbleed] is bad, but for me, there's a lot of other security stuff going on that is much scarier."
6 hours ago