The tech world is still reeling from Wednesday's revelations about Heartbleed, a recently discovered hole in the Internet's most popular security programs. But a new report from Bloomberg claims the National Security Agency discovered the flaw two years earlier and has been exploiting it to spy on people.
"They have more than a thousand people who's job it is to really look at software code. ... What they're looking for is flaws. They're looking for vulnerabilities that they can use, that their hackers can use to get into computers."
The report, citing two people familiar with the matter, claims the NSA discovered the Heartbleed vulnerability soon after it was first introduced in 2012 and it then "became a basic part of the agency’s toolkit for stealing account passwords and other common tasks."
In case you need a reminder, Heartbleed is a bug in the OpenSSL encryption software, which basically allows hackers to grab large chunks of information via the periodic "heartbeat" requests sent to servers. (Via xkcd)
With everything from passwords to personal info to credit card data at risk, Heartbleed is a pretty big deal. And critics of the NSA say it's the sort of bug the agency should have reported to the cybersecurity community, rather than kept secret for their own use.
An ACLU representative told Ars Technica, "If this report is true, then the NSA is making hundreds of millions of people around the world more vulnerable to hacking and identity theft, and it’s compromising the trust that allows the internet to function."
The NSA is categorically denying these allegations. Shortly after the Bloomberg story went public, the agency posted this statement on Twitter.
And one administration spokesperson told Politico: "If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."
But some tech observers are skeptical of the NSA's denial.
The Electronic Frontier Foundation points to at least one Heartbleed-style intrusion logged in November 2013, which seemed to be from a botnet intent on monitoring Internet chat networks: "an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers."
Most servers affected by Heartbleed are in the process patching their OpenSSL. If you're concerned about your personal information, changing your passwords is recommended only after the site has successfully updated its security.