A newly discovered bug in in the popular OpenSSL cryptographic software library has made data on many of the world's major websites vulnerable to theft by hackers. The so-called "Heartbleed Bug" allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The vulnerability could enable remote attackers to access sensitive data including passwords and secret keys that can decode traffic as it travels across the Internet.

The U.S. government's Department of Homeland Security has already advised businesses to review their servers to see if they were using vulnerable versions a type of OpenSSL. A fixed OpenSSL has been released and now it has to be deployed.

The bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Status of different versions of the OpenSSL:

- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable

Security experts estimate that hundreds of thousands of web and email servers around the globe need to be patched as soon as possible to protect them from attack by hackers.

And according to a recent report from the Arstechnica.com web site, Security researcher Mark Loman was able to extract data from Yahoo Mail servers by using a free tool.