Heartbleed bug still affects thousands of sites

US still has more than 42,000 websites vulnerable to the flaw, which can allow an attacker to steal data directly from websites and users.
Written by Zack Whittaker, Contributor

Close to 200,000 websites and servers remain vulnerable to a nasty bug found in a widely-used encryption library, almost three years after the bug was first discovered.

At the time of the Shodan Report's release this week, a total of 199,594 servers were vulnerable to the bug, with more vulnerable servers in the US than any other country.

South Korea, China, Germany, and France followed behind.

At time of writing, the overall number had dropped to 192,069 vulnerable servers, according to Shodan's live search engine, which looks for and logs open, unsecured internet-connected databases and devices.


The bug, known as Heartbleed (but formally designated CVE-2014-0160), was found in an earlier version of OpenSSL, a common open-source cryptographic library. Researchers say the flaw could allow an attacker to reveal the contents of encrypted data -- and compromise the SSL keys of the website or server.

A later version of OpenSSL fixed the bug, and hundreds of thousands of affected sites scrambled to patch the bug.

Despite the severity of the vulnerability, over 300,000 servers were left vulnerable to the flaw just a couple of months after the discovery.

That number has barely dropped in the two years since.

Windows flaw lets hackers steal your username and password

Editorial standards