The National Security Agency knew about a massive flaw in a protocol used to secure the transmission of sensitive information over the Internet and exploited the glitch to collect intelligence under its surveillance programs, Bloomberg News reported on Friday.

The NSA’s decision to exploit, instead of disclose, the so-called “Heartbleed” glitch left millions of people vulnerable to cyber attack over the past two years.

Heartbleed — a flaw that affects the security of sensitive information like passwords, credit card numbers and other personal information — was discovered and disclosed by researchers in Finland who were working on encryption technology updates. It is believed the flaw affected around two-thirds of websites on the Internet — tens of thousands, potentially millions, of online services that Internet users take advantage of every day.

The flaw prompted online services to encourage customers to change their passwords, even though there was no proof that anyone knew about or had exploited the glitch before its discovery.

That is, until Friday’s report by Bloomberg. While NSA officials denied the story, at least two unnamed sources reportedly told Bloomberg that the bug was one of many glitches the NSA has regularly used over the past two years in the execution of their surveillance missions.

Bloomberg reported that the NSA was able to gain “passwords and other basic data” by exploiting the Heartbleed bug. The agency’s decision not to disclose it to companies or the public at large left “millions of ordinary users…vulnerable to attack from other nations’ intelligence arms and criminal hackers,” Bloomberg said.

That contradicts the agency’s position that national defense comes first, the Atlantic Council’s Jason Healey told Bloomberg, adding that the agency will be “completely shredded by the computer security community for this.”

The federal intelligence community has been under a public microscope for much of the past year after details of the NSA’s clandestine surveillance programs were made public by former government contractor Edward Snowden. The unauthorized leak of thousands of classified documents by Snowden forced the intelligence agency to account for many spy programs that targeted the data of key foreign allies and, in at least one case, American citizens themselves.

The so-called “bulk telephone metadata program” by which intelligence agencies received call data of millions of American phone customers was eventually modified after a presidential review panel found that the program did little, if anything, to combat foreign security threats against the United States.

Bloomberg: NSA knew about ‘Heartbleed’ flaw for two years