Heartbleed a major vulnerability in common encryption software is affecting many websites and online services:

Researchers have discovered a long standing vulnerability in the way most websites and many other online services such as email and VPNs, encrypt and secure your communication (OpenSSL).

The OpenSSL vulnerability is reported to have been around since 2011. Following recent publicity, there is growing evidence that websites are being targeted using this vulnerability.

Around two-thirds of websites and many other services currently use affected versions of OpenSSL (which stands for Open Secure Socket Layer, the most common cryptographic software used on most web servers). You would recognise websites using OpenSSL by the small padlock icon in the browser address bar or the ‘s’ added to the ‘http’ prefix for web addresses.

An attacker could use this vulnerability (also referred to as ‘Heartbleed’) to read the memory of systems protected by OpenSSL, which exposes the secret keys used to encrypt traffic, names and passwords, and even content.

It means a hacker can eavesdrop on your communications with a website or service, steal data directly from a website or user, or impersonate a website or user.

There are a large number of affected websites and other services, including, for example, Yahoo (now fixed). Most reputable organisations should already be updating their OpenSSL and renewing certificates to address the issue, however, with so many sites potentially affected, some may not be updated as quickly.

More information is likely to emerge about this issue in coming days.