One of the most shocking cyber security failures, the Heartbleed Bug, is said to have been exploited by the NSA for over two years, Bloomberg reports. The Heartbleed Bug, which has allowed hackers to gain credit card information and passwords of accounts from nearly any OpenSSL protocol website was just reported this week by Google.
In the story, Bloomberg cites two unnamed sources saying that the NSA had knowledge of the virus and used Heartbleed to obtain passwords and other data. However, in this secretive use, NSA left millions of web users “vulnerable to attack from other nations’ intelligence arms and criminal hackers.”
In addition, Bloomberg retrieved comments from Jason Healey, the Director of Cyber Statecraft Initiative at the Atlantic Council, who said, “It flies in the face of the agency’s comments that defense comes first…They are going to be completely shredded by the computer security community for this.”
NSA Spokeswoman Vanee Vines declined to comment on the knowledge of the agency’s exploitation of the Heartbleed Bug for its own purposes. The main concern relative to the NSA is the large black budget, which is partly used to pursue software exploits which can be used by criminals to steal sensitive information. Because OpenSSL protocols are used for the majority of major web services online (i.e. Yahoo, Google, Facebook, Tumblr, and credit card companies), most anyone on the web could have been affected. NSA’s supposed use of the exploit brings concerns to both sides of the cybersecurity aisle, government and black hat hacking community.
Earlier this week, roll outs of security patches for websites left vulnerable by the Heartbleed exploit were announced, including many mainstream services. You can see the full list of these websites and their current situation on Mashable’s chart here. Users of these websites are encouraged to change passwords and security information after these security patches are officially announced by their changes.