Updated, 7:17 p.m. | Federal regulators are advising banks to take steps to protect their systems from the Heartbleed Internet security flaw that could put sensitive customer information at risk.
A group of regulators, including the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency, said that banks should upgrade their systems to protect customer information.
Heartbleed is a flaw in a security measure used on many on-line banking and retail websites. This measure, called OpenSSL, encrypts data to keep it safe from intruders trying to steal confidential information such as bank routing or credit card numbers.
In an alert issued late Thursday, the regulators said banks should make sure third-party vendors are fixing the problem and then “strongly consider requiring” users and administrators to change their passwords.
“Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information,’’ the alert said.
The regulators, acting as member of the Federal Financial Institutions Examination Council, also warned that Heartbleed could be exploited to infiltrate the banks themselves. “Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email or gain access to internal networks.”
The problem was first discovered by a team security experts and researchers last week and disclosed on Monday. By Tuesday, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it. The banking regulators said the Heartbleed vulnerability has existed since Dec. 31, 2011.
A spokesman for the F.D.I.C. said there was no evidence that Heartbleed breaches had occurred at any specific financial institutions.