Updated at 1:47 p.m. Pacific with statement from the NSA.

Heartbleed, the controversial security flaw affecting nearly every major site on the Internet, has been exploited by the U.S. National Security Agency for at least two years, Bloomberg alleges in a report.

The NSA has released a statement this afternoon denying it knew about Heartbleed before it was publicly disclosed.

Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public. — NSA/CSS (@NSA_PAO) April 11, 2014

Bloomberg claims that the NSA put “the Heartbleed bug in its arsenal” of surveillance tools and used it to steal passwords and other forms of data. Perhaps most important, the NSA did not report the security hole to developers, thus leaving “millions” of people “vulnerable to attack from other nations’ intelligence arms and criminal hackers,” Bloomberg says.

Heartbleed arose inside a version of open-source OpenSSL cryptographic software. Information sitting inside the memory of a server should be encrypted, but a little bit of data could be pulled out under an attack. The vulnerability affected widely used infrastructure from cloud providers like Heroku and Amazon Web Services as well as networking hardware from vendors like Cisco and Juniper.

A new version of OpenSSL is now available.

But as we’ve previously reported, the Heartbleed flaw enabled “attackers to ‘listen in’ on communications between those websites and the browsers visiting them.”

This news follows reports last year that allege that the NSA has purposely introduced vulnerabilities into encryption standards.

Jordan Novet contributed to this report.