NEW YORK — It now appears that the "Heartbleed" security problem affects not just websites, but also the networking equipment that connects homes and businesses to the Internet.
A defect in the security technology used by many websites and equipment makers have put millions of passwords, credit card numbers and other personal information at risk. The extent of the damage caused by Heartbleed isn't known. The threat went undetected for more than two years, and it's difficult to tell if any attacks resulted from it because they don't leave behind distinct footprints.
But now that the threat is public, there's a good chance hackers will try to exploit it before fixes are in place, says Mike Weber, vice president of the information-technology audit and compliance firm Coalfire.
Two of the biggest makers of networking equipment, Cisco and Juniper, have acknowledged that some of their products contain the bug, but experts warn that the problem may extend to other companies as well as a range of Internet-connected devices such as Blu-ray players.
"I think this is very concerning for many people," says Darren Hayes, professor of security and computer forensics at Pace University. "It's going to keep security professionals very busy over the coming weeks and months. Customers need to make sure they're getting the answers they need."
On Friday the Obama administration denied that the National Security Agency or other parts of the federal government had known about Heartbleed. The White House was responding to a report by Bloomberg News citing two unidentified sources who said that the NSA had known about the flaw and "regularly used it to gather critical intelligence." Outside experts expressed strong doubts about the report, noting that the information that could be gleaned from the Heartbleed bug was somewhat random, meaning that it probably would be a clumsy intelligence tool.