BY MEGHAN NEAL

Security holes are par for the course on the Web today, but a new, massive bug dubbed "Heartbleed” is particularly nasty, and widespread: Experts say that two-thirds of websites and nearly everyone that’s used the Internet in the last two years could be affected to some extent.

The irony is, the those who have put the most effort into privacy and security are the most vulnerable. 

The bug exposes the popular cryptographic software, OpenSSL, a mainstay Web encryption. Heartbleed makes it possible for anyone to eavesdrop on encrypted sites and access the sensitive data they’re supposed to be protecting, all without leaving any trace on the site’s server. Even worse, attackers can also retrieve cryptographic keys and passwords and use that info to decrypt any past or future web traffic.

The bug was introduced in the 1.01 version of OpenSSL in 2012, which means for two years attackers exploiting the bug could have exposed VPNs and anonymity services, and accessed users’ emails, instant messages, and browsing activity.

The lion's share of websites that use the HTTPS secure communications protocol run OpenSSL, and of course sites specifically designed to hide users' identity are at risk, including the Tor onion network.

The Tor Project wrote in a blog post yesterday that Tor clients, relays, and hidden services were all vulnerable to the Heartbleed bug. In theory, anyone that had been using Tor—be it to buy drugs on the black market or protect themselves from oppressive governments or anything in between—may have had their activity monitored and encryption keys stolen.

Read the full story on Motherboard.

Photo via Shutterstock