Security experts have urged internet users not to panic and instantly change their passwords in wake of the Heartbleed bug security flaw, despite suggestions to do so from prominent websites.
Hugh Boyes, cyber security lead at the UK-based Institution of Engineering and Technology said: "Change your passwords - but only after the affected website operators and internet service providers have implemented the patch to fix the bug.
"Changing your password before the bug is fixed could compromise your new password."
The popular blogging website Tumblr, which is owned by Yahoo!, had previously urged its users to change all their passwords immediately, especially those protecting sensitive data like email and bank accounts.
Independent security expert Bruce Schneier has also called for calm, but emphasised the seriousness of the web security breach.
"The bug has been patched. After you patch your systems, you have to get a new public or private key pair, update your SSL certificate and then change every password that could potentially be affected. 'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable, including my own."
Users can test their own vulnerability to the Heartbleed bug by visiting a site created by developer Filippo Valsorda, where you can enter web addresses and find out if the bug has been fixed.
Once it is confirmed the site has been patched, it is safe to change your password.
"Regularly change your passwords. Depending on how sensitive the application/website is, passwords typically ought to be changed monthly or quarterly. Don't reuse the same passwords on different websites. Try to use a separate password for each website," said Mr Boyes.
The Heartbleed bug was discovered on Monday by a team of security experts, including one from Google, having gone undetected for more than two years.
The bug bypasses the encryption that normally protects data as it is sent between computers and servers, leaving personal and sensitive data vulnerable.
It is commonly recognised as the closed padlock that appears in the corner of the web browser to show your connection is secure.