A newly discovered computer bug has security experts scrambling. It’s called “heartbleed” and it affects what’s called openSSL.

Without getting into the jargon, the security flaw has to do with that little padlock you see on websites and the HTTPS in the address bar. That’s supposed to mean a website is secure.

But now experts say the widely used encryption software may have a major flaw meaning millions of websites — possibly two-thirds of the web — may have been leaking critically sensitive data for the past two years.

Yesterday, Tumblr — owned by Yahoo — became the largest website to disclose it’s been hit by the bug, it urged users to change not just the password for its site but for all others.

Security experts though, say if you change your password before the security flaw is fixed, that password would also be vulnerable. So don’t change until you’re sure the site’s been fixed.

And one of the problems here is a hacker could get in, get info from these sites and leave little if any trace, which means it could be impossible to tell what’s been breached.

And to make matters worse, in theory, a hacker could create a spoof or fake site to get users to disclose even more data.

A patch has been released, and sites are making fixes.

Check if a site is vulnerable by visiting here https://lastpass.com/heartbleed/