Heartbleed, the latest amorphous thing on the internet to not fully understand but to be afraid of anyway, is a newly uncovered security hole in a popular encryption technology. Until this week, the flaw, which affects websites like Facebook, Gmail, and Instagram, was overlooked by everyone. Except the NSA, of course. Bloomberg reports:
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
That’s right: For about two years, the U.S. government knew passwords across the internet were at risk and told no one, instead using the glitch, supposedly, for national defense. “We’ve never seen any quite like this,” a security firm researcher told Bloomberg of Heartbleed. “Not only is a huge portion of the internet impacted, but the damage that can be done, and with relative ease, is immense.” That risk, we’ll surely be told, was outweighed by our protection by shadowy forces.
The NSA has so far declined to comment, but this one is really going to rankle people. Don’t expect the reinvigorated NSA outrage to settle any time soon.
Update: The government denies Bloomberg’s report:
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong,” the agency said in a statement to NBC News.