Security researchers have discovered a serious bug, nicknamed Heartbleed, that affects nearly two-thirds of all websites. The bug lets hackers easily steal encryption keys, visitor usernames and passwords, financial data and plenty of other information they shouldn't have.
It's a complicated bug, but let me explain how it all works.
If you don't care how it works, skip further down for the things you can do to stay safe:
The bug is found in a Web standard called OpenSSL, which is what many websites use to encrypt your communication. If you see "https" in the address bar of a site you're on, there's a good chance OpenSSL is involved. Learn more about Web encryption and how it (should) keep you safe.
Back in later 2011 and early 2012, developers created an add-on for OpenSSL called the "heartbeat extension." Unfortunately, there was a bug in it - one that turned out to give hackers an undetectable way into any site running OpenSSL. If you want the full details, Sophos' Naked Security blog has a very detailed explanation.
While the information the hackers can steal comes in random little chunks, they can collect a lot of the chunks and reconstruct data they aren't supposed to have. That's the bad news.
The good news is that the latest version of OpenSSL fixes the problem and websites are already upgrading. Sites like Yahoo, Twitter, Tumblr and DropBox - all named as vulnerable this morning - are already fixed.