Within 24 hours of the Heartbleed bug’s disclosure last week, an attacker used it to break into a major corporation, security experts said Friday.

Using Heartbleed, the name for a flaw in security that is used in a wide range of web servers and Internet-connected devices, the attacker was able to break into an employee’s encrypted virtual private network, or so-called VPN, session.

From there, the hacker or hackers used the Heartbleed bug about 1,000 times until successfully extracting information like passwords to get broader access to the victim’s network, said researchers at Mandiant, a cybersecurity firm.

The targeted company only noticed the attack in its later stages. When it began analyzing what happened, it realized the Heartbleed bug was used as the entry point, said Christopher Glyer, an investigator at Mandiant.

The attack was one of the first confirmed cases of a hacker using Heartbleed. Until now, researchers say they have seen widespread scanning of the Internet for vulnerable servers, and in some cases people have taken material from those servers using Heartbleed. But it has been nearly impossible, they say, to discern between the activities of security researchers and hackers and there has been no evidence actual harm was done.

Investigators were still assessing whether actual damage had been done and because of nondisclosure agreements, the firm has not named the targeted company — only that it is a “major corporation” with particularly sophisticated attack detection systems.

“The main takeaway is that within 24 hours of Heartbleed’s publication, we’re seeing this taken advantage of,” Mr. Glyer said. “And it’s entirely likely lots of other companies are being affected and just don’t know it yet.”

On Tuesday, a 19-year-old man was arrested in Canada on charges that he had also used the Heartbleed flaw to steal taxpayer data from the Canada Revenue Agency.

At the University of Michigan, computer scientists said the Heartbleed bug had been used by 41 groups to access their own stashes of data, which were put on the Internet as a test. They could not say whether the probes were the work of attackers, or other security researchers, but they did say that over half of the probes had originated in China.

The University of Michigan researchers said earlier this week that there were still over 1 million web servers vulnerable. They are keeping an updated tally on their website.

It was still unclear whether the Heartbleed bug was exploited before its discovery by a Google researcher earlier this month.

For the last week, researchers at the Berkeley National Laboratory and the National Energy Research Scientific Computing Center, a separate supercomputer facility, have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for Heartbleed exploitations before it became public on April 7.

So far, they have found none.