The Washington Post

Heartbleed: Here comes the fallout

The notorious Heartbleed bug that rattled the Web when it was discovered last week is starting to cause some bleeding.

The Canada Revenue Agency became the first government agency to report being victimized by the Heartbleed security flaw, Reuters reported. The agency said it was attacked by hackers who lifted hundreds of social security numbers from its systems.

The agency released a statement, saying:

The CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

The “vulnerability” is caused by a flaw in “OpenSSL,” the software used to encrypt data and prevent unauthorized access to a Web site.

The agency said police are investigating the attack. And authorities said all government sites have been backed up with an updated version of the OpenSSL> Later on Monday, Mumsnet, a leading British site for parents, announced that cybercriminals may have nabbed passwords and personal information from a number of its 1.5 million registered users. Founder Justine Roberts told the BBC that the breach became obvious when her own username and password were used to post a message online. She said the hackers even notified site administrators that the attack was connected to the bug. BBC reported that the site sent out an e-mail to its members, stating:

We have no way knowing which Mumsnetters were affected by this. … The worst case scenario is that the data of every Mumsnet user account was accessed. … It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone’s account being used for anything other than to flag up the security breach, thus far.

The Heartbleed bug went public last week after Google and a small Finnish security firm, Codenomicon, reported that they had discovered a flaw in OpenSSL that essentially made access to servers’ memories available to outsiders. That’s when the public learned that hackers could potentially access unencrypted data, including people’s personal information, from systems using vulnerable versions of the software.

Some experts said more attacks like this week’s are likely to follow. The Washington Post’s Brian Fung reported that an open challenge for hackers organized by Internet security company CloudFlare suggested that hackers could even use the bug to create fake sites posing as real ones to trick users into giving up their personal information. It’s an issue the company once contended would be nearly impossible.

But old-school hackers will likely stick with time-tested tools such as compromising accounts of system administrators or accessing databases using a method called “SQL injection,” Internet security expert Dan Kaminsky told Reuters.

As a result, experts say it’s difficult to know whether Heartbleed will lead to an increase in cyberattacks.

Lindsey Bever is a general assignment reporter for The Washington Post. Tweet her: @lindseybever



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
How to make Sean Brock's 'Heritage' cornbread
New limbs for Pakistani soldiers
The signature dish of Charleston, S.C.
Play Videos
Why seasonal allergies make you miserable
John Lewis, 'Marv the Barb' and the politics of barber shops
What you need to know about filming the police
Play Videos
The Post taste tests Pizza Hut's new hot dog pizza
5 tips for using your thermostat
Michael Bolton's cinematic serenade to Detroit
Play Videos
Full disclosure: 3 bedrooms, 2 baths, 1 ghoul
Pandas, from birth to milk to mom
The signature drink of New Orleans
Next Story
Terrence McCoy · April 15, 2014

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.