US intelligence agencies have denied a report that they exploited the Heartbleed bug in internet encryption to gather intelligence, saying they were not aware of the vulnerability until it was publicly exposed.

The so-called Heartbleed bug in OpenSSL, which was introduced about two years ago into the encryption software that is widely used to secure internet transactions and websites, is considered one of the most serious internet security flaws to be uncovered in recent years.

The National Security Agency (NSA), the White House and the Office of the Director of National Intelligence issued statements after Bloomberg reported that the spy agency had been aware of the bug for at least two years and used it to obtain passwords and other basic information via hacking operations.

The Bloomberg report cited two unnamed sources who were familiar with the matter.

White House National Security Council spokeswoman Caitlin Hayden said in a statement that reports that the NSA or any other part of the government knew of the vulnerability before April 2014 were wrong.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet," Ms Hayden said.

She said that when US agencies discover a new vulnerability in commercial and open-source software, "it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose".

Such vulnerabilities are known as "zero-day" flaws because the software developers have had zero days to fix them.

NSA spokeswoman Vanee Vines said in a separate statement: "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report."

The activities of the NSA have come under sharp scrutiny since former agency contractor Edward Snowden leaked numerous documents exposing expansive US surveillance efforts.

Banks, institutions on alert for attacks

Meanwhile the US government has warned banks, infrastructure operators and other organisations to be on alert for hackers who may take advantage of the Heartbleed bug to steal data from vulnerable networks.

On a website for advising critical infrastructure operators about emerging cyber threats, the US Department of Homeland Security asked organisations to report any Heartbleed-related attacks.

Federal regulators advised financial institutions to identify any vulnerable systems, patch them, and then test them to make sure they are safe.

The Department of Homeland Security was working with federal, state and local governments to uncover and mitigate potential threats, Larry Zelvin, director of the department's National Cybersecurity and Communications Integration Centre, said separately in a blog post on the White House website.

"While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems," Mr Zelvin said.

The German government released an advisory that echoed the one by Washington, describing the bug as "critical".

"An attacker can take advantage of the vulnerability and can read the memory contents of the OpenSSL server," said the notice posted by the German Federal Office for Information Security.

Hundreds of thousands of computer users vulnerable

The widespread bug surfaced late on Monday, when it was disclosed that a pernicious flaw in a widely-used web encryption program known as OpenSSL left hundreds of thousands of websites open to data theft.

Technology companies are now rushing to identify pieces of vulnerable OpenSSL code elsewhere, including email servers, ordinary PCs, phones and even security products.

Sorry, this video has expired Josh Taylor from ZDNet says many companies have not yet patched the exploit

Companies including Cisco Systems Inc and Intel Corp have rushed to release updates to protect against the threat, warning customers they may be at risk.

OpenSSL software is used with SSL technology to encrypt traffic, using digital certificates and "keys" to keep information secure while it is in transit over the internet and corporate networks.

The vulnerability went undetected for several years, so security experts have warned that hackers have likely stolen some of those certificates and keys, which means their data has long been vulnerable to spying.

In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing those certificates and keys.

"Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch," said the FFIEC, a consortium of regulators including the Fed and the Treasury Department.

Reuters