Two anonymous sources have been quoted by Bloomberg as saying the National Security Agency not only knew about the Heart Bleed virus, but exploited the hole to gather information on civilians.
The NSA declined to comment on the Heartbleed issue, but the Bloomberg report hits at a time when the agency is undergoing intense scrutiny, Bloomberg reported.
Heartbleed refers to a flaw in a security protocol that protects countless websites and web services, according to Bloomberg. The hole was caused by a coding mistake and was left unnoticed for two years.
Heartbleed allows anyone to read the memory of servers running OpenSSL, which leaves information such as usernames, passwords and credit card data exposed, Bloomberg reported.
Vanee Vines, an NSA spokeswoman, did not provide comment, Bloomberg reported.
Heartbleed has been reported to impact Android smartphones and tablets that run the 4.1.1 version of the Google operating system, as well, according to Bloomberg.
In a statement on Google's online security blog, the company says patching information has been submitted to partners, Bloomberg reported. Cisco also says multiple products incorporate OpenSSL, a variation of the Secure Sockets Layer protocol used to encrypt sensitive data.
"It flies in the face of the agency's comments that defense comes first," said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, according to Bloomberg. "They are going to be completely shredded by the computer security community for this."
Web services have scrambled since the revelation of Heartbleed to fix the bug and several companies including Facebook, Google and Yahoo have confirmed they are clear, according to Bloomberg.
The Department of Homeland Security has joined the chorus of impacted services urging consumers to change their passwords on updated sites, Bloomberg reported. In a statement, the agency notes no attacks or incidents tied to Heartbleed have been confirmed.