Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed. Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.
(Also see: Heartbleed bug causing major security headache)
The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.
About two-thirds of Web servers rely on OpenSSL, Chartier said. That means the information passing through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryptions. Beside emails and chats, OpenSSL is also used to secure virtual private networks, which are used by employees to connect with corporate networks seeking to shield confidential information from prying eyes.
(Also see: Heartbleed bug: What you need to know)
Yahoo, which has more than 800 million users around the world, said Tuesday that most of its popular services had been fixed, but work was still being done on other products that it didn't identify. The repairs have been made on a list of services that includes its home page, search engine, email, finance and sport sections, Flickr photo-sharing service and its Tumblr blogging service.
Security experts said Yahoo users, in particular, should change their passwords, because that company had not completely patched its software until after the flaw became public. On Tuesday afternoon, while looking for vulnerabilities, researchers reported that they had been able to capture user names and passwords from Yahoo.
Google is so confident that it inoculated itself against the Heartbleed bug before any damage could be done that the Mountain View, California, company is telling its users they don't have to change the passwords they use to access Gmail, YouTube and other product accounts. More than 425 million Gmail accounts alone have been set up worldwide.
Facebook, which has more than 1.2 billion accountholders, also believes its online social network has purged the Heartbleed threat. But the company encouraged "people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites."
Twitter and e-commerce giant Amazon say their websites weren't exposed to Heartbleed.
The folks over at Mashable have also set up a handy list of other services for which you might need to change your password, thanks to Heartbleed.
Written with agency inputs