SAN FRANCISCO — The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability.

Consumers started to receive a trickle of notices from services they use online alerting them to potential issues and recommended steps, such as changing passwords. But given the scope of the issue, security experts projected that it could take years to sew up all the holes created by the Heartbleed bug.

“This is one of the worst security issues we’ve seen in the last decade and will remain within the top five for many years to come,” said Adam Ely, founder and chief operating officer of Bluebox Security.

Added Jeff Forristal, Bluebox chief technical officer: “OpenSSL is extremely pervasive on all manners of devices, systems and servers. It is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years.”

Heartbleed is a vulnerability in OpenSSL, a technology used to provide encryption of an estimated 66 percent of all servers on the public Internet. OpenSSL is an open-source code developed and maintained by a community of developers, rather than by a single company.

Although such jargon is unfamiliar to average users, most people online probably have seen the green padlock icon in the address bar of their browser, followed by “https” that indicates that the OpenSSL added security has been enabled.

The vulnerability was discovered separately last week by Neel Mehta, a security researcher at Google Inc., and a team of engineers at Codenomicon, a security website that has since created a site with information about Heartbleed.

On Tuesday, Tumblr, owned by Yahoo Inc., disclosed that it had been hit by Heartbleed and urged users to change not just the password for its site but for all others as well.

Signaling just how much uncertainty and confusion surrounds the glitch, security experts warned that such a gesture might actually be useless because if a site has not fixed the problem hackers could just as easily steal the new password.

“The scope of this is immense,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company. “And the consequences are still scary. I’ve talked about this like a ‘Mad Max’ moment. It’s a bit of anarchy right now. Because we don’t know right now who has the keys and certificates on the Internet right now.”

It appears the bug was introduced into OpenSSL by a programming mistake that got pushed out as websites around the world updated their version of OpenSSL.