According to a report by Bloomberg, the Heartbleed bug, which has been the talk of the Web security community this week, has been known and exploited by the National Security Agency for at least two years. According to two sources familiar with the matter, the bug was kept secret for national security purposes, while the agency used it to obtain passwords and other data.
The report suggests that the NSA maintained access for the entire lifespan of the bug, since it was first committed in 2012.
This would give the NSA access to as many as two-thirds of the encrypted servers on the Web.
This revelation also casts major doubts on the NSA’s role in U.S. Cyber Defense. A former Air Force cyber officer told Bloomberg, “they are going to be completely shredded by the computer security community for this.”
UPDATE: The NSA has issued a statement on Twitter claiming they were “not aware of the recently identified Heartbleed vulnerability until it was made public.” However, the NSA’s track record for honesty is not so good.