In case you’ve been living under a rock, the Heartbleed bug has swiftly torn down the illusion that our online security is airtight. Nearly a third of all secure websites were swiftly and unequivocally deemed insecure, forcing just about everyone who’s been online in any capacity over the past few years to change a few (if not all) of their passwords. But now comes word that while the bug—dubbed “Heartbleed”—may be new to us, the National Security Agency may have known about it for years. And according to anonymous sources, instead of warning the public, they may have been using it to gather intel.

“It flies in the face of the agency’s comments that defense comes first,” Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, told Bloomberg. “They are going to be completely shredded by the computer security community for this.” In the meantime, NSA spokeswoman Vanee Vines has declined to comment …

Update: The White House has denied the report, with National Security Council Spokeswoman Caitlin Hayden saying “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” Hayden said. “The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report.”