An internet security flaw has exposed millions of passwords, credit card numbers and other sensitive information to potential theft by computer hackers.

The bug, known as Heartbleed, which has opened a hole in the protection provided by widely used encryption software, has caused several technology firms to urge users to change their passwords.

The problem is of particular concern information technology experts, because it has existed for more than two years without detection and it is very difficult to detect when hacking through Heartbleed has occurred.

A small team from the Finnish security firm Codenomicon diagnosed Heartbleed while working independently from another Google researcher who also discovered the threat.

Butterfield Bank yesterday said its online banking services were not vulnerable to Heartbleed. And the bank took the opportunity to warn customers to watch out for “phishing” e-mails, sent by scam artists to find out people’s bank details, that might proliferate after the Heartbleed scare.

HSBC Bermuda said the Heartbleed issue was being investigated by HSBC on all of its systems worldwide, with no vulnerability discovered so far.

Internet giants Google and Facebook said they weren’t affected either. However, Yahoo, which claims to have more than 800 million users worldwide, is among the internet services that could be potentially hurt by Heartbleed.

Yahoo said most of its most popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it did not identify.

Internet security expert Stephen Davidson, of Bermuda-based QuoVadis, said yesterday that the flaw was “a big deal”.

QuoVadis, which, as a major supplier of digital certificates specialises in internet security, was yesterday dealing with many calls from concerned clients around the world.

“Nobody knows how big the scale of this is, but I’ve seen estimates that it could be affecting half a million servers on the internet,” Mr Davidson said.

The most notable software potentially vulnerable to the bug is that of open-source web servers Apache and Nginx, which have a market share of about two thirds of servers on the internet, according to the website heartbleed.com, set up by Codenomicon to provide information on the flaw.

The flaw is in OpenSSL, which is a freely available “toolkit” used by software developers to implement SSL. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website’s address.

Mr Davidson said the flaw was down to a programming error in OpenSSL. The hole can be closed by updating the version of OpenSSL used. But because OpenSSL is so widely used, that means a busy time for IT professionals and a Digital Certificate Authority (CA) like QuoVadis.

“Today is about updating software and replacing certificates,” Mr Davidson said yesterday. “Next, those affected websites will need to start looking at updating passwords for their own users.

“There are likely to be potential impacts from this bug that will become apparent in the next week or two,” he added.

It is difficult for the average user of online services to know what websites may have been vulnerable to the bug, Mr Davidson said. And the bug left little trace on the log of servers, meaning it was difficult to detect what had been compromised.

The flaw makes it possible to snoop on internet traffic even if the SSL padlock had been closed. Hackers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.

QuoVadis, on its website (www.quovadisglobal.bm), has issued a release on Heartbleed that includes a link to a test site that allows administrators to test any SSL website for potential vulnerability to Heartbleed by typing in the domain name.

Apart from a rush of calls for assistance from its clientele, in Bermuda as well as overseas, QuoVadis was yesterday seeing heavy traffic on its Trust/Link function, which allows clients to self-serve, replacing their own digital certificates, Mr Davidson said.

A spokesperson for Butterfield Bank said yesterday: “Butterfield advises our customers in Bermuda and the Cayman Islands that Butterfield Online, our internet banking service, was not and is not vulnerable to the OpenSSL ‘HeartBleed’ issue.

“At this time, we would also like to remind our customers that Butterfield will NEVER e-mail them with instructions or requests to update their online banking credentials. Should customers receive e-mails, purportedly from the bank, that cite the ‘Heartbleed’ issue or similar issues as a reason to change or update their online banking credentials, they should disregard those e-mails.

“Under no circumstances should they click on any links or attachments included therein. Suspicious e-mails should be reported to Butterfield by forwarding them to phishing@butterfieldgroup.com.”

A spokesperson for HSBC Bermuda said: “We are aware of the OpenSSL Heartbleed bug, and have been investigating this issue across HSBC systems globally. So far, we have not found any HSBC systems that are affected but we continue to review and monitor the situation closely.”

Many large consumer sites running OpenSSL aren’t vulnerable to being exploited because they use specialised encryption equipment and software, experts have indicated.

Google said: “The security of our users’ information is a top priority. We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited. We have assessed the SSL vulnerability and applied patches to key Google services.”

In a statement, Facebook said it “added protections for Facebook’s implementations of OpenSSL before this issue was publicly disclosed, and we haven’t detected any signs of suspicious activity on people’s accounts.”