(Adds comment and background on Amazon's cloud services, paragraphs 11-12)
By Jim Finkle
BOSTON, April 9 (Reuters) - Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software.
Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used Web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.
OpenSSL is used on about two-thirds of all Web servers, but the issue has gone undetected for about two years.
Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.
By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on Wednesday after security software company Rapid7 released a free tool for conducting such scans.
"The problem is insidious," Baumgartner said. "Now it is amateur hour. Everybody is doing it."
OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.
"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.
Representatives for Facebook Inc, Google and Yahoo Inc told Reuters they have taken steps to mitigate the impact on users.
Google spokeswoman Dorothy Chou told Reuters: "We fixed this bug early and Google users do not need to change their passwords."
Ty Rogers, a spokesman for Amazon.com Inc, said "Amazon.com is not affected."
In a blogpost dated Tuesday, the company said some of its Web cloud services, which provide the underlying infrastructure for apps such as online movie-streaming service Netflix and social network Pinterest, had been vulnerable. While it said the problems had been fixed, the company urged users of those services, which are popular in particular among the tech startup community, to take extra steps such as updating software.
Kaspersky Lab's Baumgartner noted that devices besides servers could be at risk because they run software programs with vulnerable OpenSSL code built into them.