Report: NSA Knew About Heartbleed Vulnerability for Years, Used It to Collect Intelligence

Jason O. Gilbert
Technology Editor
April 11, 2014

The National Security Agency had been aware of the recently discovered Heartbleed vulnerability for more than two years and did nothing to inform consumers, according to a new report from Bloomberg News. Citing anonymous sources, Bloomberg claimed that the NSA exploited Heartbleed — a flaw in common Internet encryption that left passwords and other vital information visible to and obtainable by hackers — to collect intelligence on web surfers. 

Bloomberg cited “two people familiar with the matter”; the NSA declined to comment through a spokesperson. Many on Twitter expressed outrage at the report, arguing that the NSA’s silence left Internet users vulnerable to cyber-attacks, despite the agency’s mandate to keep Americans safe.

Researchers with Google and security firm Codenomicon discovered the Heartbleed bug earlier this week, warning that it had existed for more than two years. Since then, many popular affected websites, including Yahoo and Tumblr, have patched the bug and urged visitors to change their passwords to protect themselves. 

Also on Friday, the Department of Homeland Security warned banks and other businesses that hackers may try to use the Heartbleed bug to steal critical data. 

You can read more about the Heartbleed vulnerability here. And here are our recommendations for the passwords you need to change because of Heartbleed. 

UPDATE: The NSA Public Affairs Office Twitter account sent out the following statement, claiming the agency had no knowledge of Heartbleed until it was uncovered this week. 

The NSC also released a longer statement, which you can read here, completely disavowing the Bloomberg report, claiming that “[i]f the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have disclosed to the community…”

"It is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."

Follow Yahoo Tech on Facebook for all the latest tech news.