More than 300,000 servers haven't been patched for the Heartbleed bug, a security firm has reported.
Heartbleed is a flaw in OpenSSL, that has the potential to leak data from user passwords to encryption keys. The April announcement of its discovery was organised to grab headlines - it even had its own logo - with security experts calling on websites and others using OpenSSL to patch their copy quickly.
The patch was made available immediately, and all web admins needed to do was update their version of OpenSSL.
While many rushed to update in the weeks following the Heartbleed discover, others haven't followed suit, according to Robert Graham, a researcher at security firm Errata.
"When the Heartbleed vulnerability was announced, we found 600,000 systems vulnerable," he said in a blog post. "A month later, we found that half had been patched, and only 300,000 were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300,000 (309,197) still vulnerable."
Graham said the stalling numbers shows people have stopped trying to patch the flaw, leaving users at risk. "We should see a slow decrease over the next decade as older systems are slowly replaced" he said. "Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable."
Graham will continue to run the scan to track progress of OpenSSL upgrades. He didn't reveal any details of the sites still at risk.