The widespread bug that surfaced on Monday of last week when it was disclosed that a pernicious flaw in a widely used Web encryption system known as OpenSSL opened hundreds of thousands of web sites including thousands of retailer sites to data theft.
The frenzy intensified after Bloomberg News reported that the US National Security Agency had known about the hole for two years but kept it secret in order to gather intelligence on foreign targets.
The NSA denied that report. "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," said White House spokeswoman Caitlin Hayden.
Meanwhile a German volunteer coder has lodged a mea culpa, claiming he had unintentionally introduced the bug on New Year's Eve 2011 while he was working on bug fixes for OpenSSL.
Robin Seggelmann, a 31-year-old who now works for T-Systems, a unit of Deutsche Telekom, said in a blog that the error had been overlooked by multiple coders working on OpenSSL.
Security company McAfee meanwhile has described Heartbleed as a severe vulnerability.
"The severity of the Heartbleed vulnerabillity cannot be overstated," said Gary Davis, a McAfee vice president. "This is a flaw in the OpenSSL encryption code, not a virus that can be stopped by McAfee or other consumer security software.
Davis said users should wait to be notified about affected services and patches or investigate a list provided by Mashable.
Users should only change their passwords after the afflicted business has fixed its servers to remove the vulnerability. Current services where users should change passwords, according to Mashable, include Facebook, Instagram, Pinterest, Tumblr, Google, Yahoo, Flickr, Netflix and Amazon Web Services.