The Heartbleed bug in OpenSSL means that any website with HTTPS encryption is vulnerable to attack. Users can tell if a website uses HTTPS security if the see "https" at the beginning of a URL.
About a third of websites use OpenSSL for HTTPS encryption. The bug was simultaneously discovered by Neel Mehta of Google Security and a team of security engineers at Codenomicon. After the bug was reported to OpenSSL Monday night, a number of popular websites advised users to change their passwords.
"But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," said Tumblr in a blog post.
Tumblr is owned by Yahoo, and the company confirmed users' data had been compromised.
The one positive is that only one version of the OpenSSL was affected but the OpenSSL in question has been active for two years and the bug was only discovered recently. A fix has been issued, but experts warn everyone should still change their passwords.
"This might be a good day to call in sick and take some time to change your passwords everywhere -- especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," Tumblr wrote.
The security researchers who discovered the bug have also created a website with more information about Heartbleed and the security vulnerability on websites affected.