Federal regulators are advising banks to take steps to protect their systems from the Heartbleed Internet security flaw that could put sensitive customer information at risk.
A group of regulators, including the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency, said that banks should upgrade their systems to protect customer information.
Heartbleed is a flaw in a security measure used on many on-line banking and retail websites. This measure, called OpenSSL, encrypts data to keep it safe from intruders trying to steal confidential information such as bank routing or credit card numbers.
In an unusual alert issued late Thursday, the regulators said banks should apply so-called patches to fix the problem and then âstrongly consider requiringâ users and administrators of their banking site to change their passwords.
âFinancial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information,ââ the alert said.
The regulators, acting as member of the Federal Financial Institutions Examination Council, also warned that  Heartbleed could be exploited to infiltrate the banks themselves. âAttackers could potentially impersonate bank services or users, steal login credentials, access sensitive email or gain access to internal networks.â
The problem was first discovered by a team security experts and researchers last week and disclosed on Monday. By Tuesday, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it. The banking regulators said the Heartbleed vulnerability has existed since Dec. 31, 2011.
The alert by the banking regulators did not say whether Heartbleed breaches had occurred at any financial institutions.