NEW YORK -- Passwords and other sensitive data are at risk after security researchers discovered a problem with an encryption technology used to securely transmit email, e-commerce transactions, social networking posts and other Web traffic.
Security researchers say the threat, known as Heartbleed, is serious, partly because it remained undiscovered for more than two years. Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It's not known, though, whether anyone had actually exploited this flaw.
A fix is available, but websites and service providers must install the update. Meanwhile, researchers say people should change all of their passwords.
The problem was found in OpenSSL, a technology that is the basis for encrypting Web traffic. Researchers say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many websites potentially have this security flaw.
Researchers say the technology is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks.
The flaw was discovered independently by researchers at Google and the Finnish security firm Codenomicon.