NSA denies prior knowledge of Heartbleed bug

The NSA has issued a statement denying that it exploited the Heartbleed bug to obtain confidential data as part of its surveillance activities.

A report from Bloomberg last week claimed that "two people familiar with the matter" said the agency was aware of the bug for two years and had used it to collect "critical intelligence".

Describing the search for security flaws as "central to NSA’s mission", the piece said the agency had "1,000 experts" dedicated to seeking vulnerabilities similar to Heartbleed.

The Office of the Director of National Intelligence (ODNI) rebuffed the allegations, saying: "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong."

Heartbleed was a result of inept coding which allowed hackers to view sensitive information and even access data on previous transactions without leaving a trace.

Sites affected include Yahoo, Imgur, Flickr, Steam and OkCupid.

Thought to have been known to hackers since March 2012, it was discovered by Google engineer Neel Mehta and Finnish security firm Codenomicon independently, and has existed since December 2011.

American spy agencies have been under increasing scrutiny since whistleblower Edward Snowden reported widespread internet surveillance by the NSA, leading many to treat assurances by security officials with scepticism.

The ODNI insisted that the US government took seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.

"When federal agencies discover a new vulnerability in commercial and open source software – a so-called "zero day" vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose," the office’s statement added.

Users of compromised websites have been advised to change their passwords once systems have been patched, despite early advice telling users to immediately alter their details.

In a blog post on his website, British security expert Graham Cluley said: "If you change your passwords *before* a website has been fixed, you might actually be exposing your credentials to *greater* risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL."