Several tech firms are urging people to change all their passwords after the discovery of a major security flaw, the BBC reported.
Security advisers have given similar warnings about The Heartbleed bug which has been given its name to reflect data leaking from servers, but many say there is very little that Internet users can do to protect themselves.
The bug was discovered earlier this week by Finnish security company, Codenomicon. David Chartier, CEO, told International Business Times how it was found: “We attack the software with unexpected messages and see how it reacts. When you do this, you can find messages or characters or something that causes the system you’re testing to crash. This is the building block of software vulnerabilities that can be exploited.”
Researchers observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used Web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.
OpenSSL is used on about two thirds of all Web servers, but the issue has gone undetected for about two years.
Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.
“The problem is insidious,” Baumgartner said. “Now it is amateur hour. Everybody is doing it.”
It has been reported that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week. However, it appears that Yahoo was not included on this list, as tech site CNET has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.
The Yahoo blogging platform Tumblr has advised the public to “change your passwords everywhere – especially your high-security services like email, file storage and banking”.
“Our team has successfully made the appropriate corrections across the main Yahoo properties – Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr – and we are working to implement the fix across the rest of our sites right now,” said a spokeswoman for the company.
Representatives for Facebook Inc, Google and Yahoo Inc told Reuters they have taken steps to mitigate the impact on users.
OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.
“There is nothing users can do to fix their computers,” said Mikko Hypponen, chief research officer with security software maker F-Secure.
Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.
“Take care of the passwords that are very important to you,” he said. “Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely.”