The NSA allegedly knew about & exploited Heartbleed for at least two years (updated)

Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now

Updated at 1:47 p.m. Pacific with statement from the NSA.

Heartbleed, the controversial security flaw affecting nearly every major site on the Internet, has been exploited by the U.S. National Security Agency for at least two years, Bloomberg alleges in a report.

The NSA has released a statement this afternoon denying it knew about Heartbleed before it was publicly disclosed.

Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.

— NSA/CSS (@NSA_PAO) April 11, 2014

Bloomberg claims that the NSA put “the Heartbleed bug in its arsenal” of surveillance tools and used it to steal passwords and other forms of data. Perhaps most important, the NSA did not report the security hole to developers, thus leaving “millions” of people “vulnerable to attack from other nations’ intelligence arms and criminal hackers,” Bloomberg says.

AI Scaling Hits Its Limits

Power caps, rising token costs, and inference delays are reshaping enterprise AI. Join our exclusive salon to discover how top teams are:

Turning energy into a strategic advantage
Architecting efficient inference for real throughput gains
Unlocking competitive ROI with sustainable AI systems

Secure your spot to stay ahead: https://bit.ly/4mwGngO

Heartbleed arose inside a version of open-source OpenSSL cryptographic software. Information sitting inside the memory of a server should be encrypted, but a little bit of data could be pulled out under an attack. The vulnerability affected widely used infrastructure from cloud providers like Heroku and Amazon Web Services as well as networking hardware from vendors like Cisco and Juniper.

A new version of OpenSSL is now available.

But as we’ve previously reported, the Heartbleed flaw enabled “attackers to ‘listen in’ on communications between those websites and the browsers visiting them.”

This news follows reports last year that allege that the NSA has purposely introduced vulnerabilities into encryption standards.

Jordan Novet contributed to this report.

Daily insights on business use cases with VB Daily

If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI.

Read our Privacy Policy

Thanks for subscribing. Check out more VB newsletters here.

An error occured.

The insights you need without the noise