One month after the critical Heartbleed vulnerability was first revealed, there are still more than 300,000 servers vulnerable to the bug, according to security researcher Robert David Graham. Graham arrived at the number through a global internet scan, which found a full 1.5 million servers that still support the "heartbeat" feature of OpenSSL that allowed the bug, and exactly 318,239 systems that are still vulnerable. The number counts only confirmed cases and there may well be other systems that escaped Graham's accounting, either because of spam blocking or unorthodox OpenSSL setups.
It's a troubling number, given how available Heartbleed fixes are and how damaging the bug can be once exploited. Now that the bug has been revealed, it's also a fairly simple attack to carry out. Major services like Google patched their servers almost immediately, but this scan suggests that bad actors could still do plenty of damage against smaller and less technically adept services. Once a vulnerable server is located, an attacker could use Heartbleed to steal private keys, eavesdrop on passwords in transit, or hijack a session entirely.