The notorious Heartbleed bug that rattled the Web when it was discovered last week is starting to cause some bleeding.
The Canada Revenue Agency became the first government agency to report being victimized by the Heartbleed security flaw, Reuters reported. The agency said it was attacked by hackers who lifted hundreds of social security numbers from its systems.
The agency released a statement, saying:
The CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.
The “vulnerability” is caused by a flaw in “OpenSSL,” the software used to encrypt data and prevent unauthorized access to a Web site.
The agency said police are investigating the attack. And authorities said all government sites have been backed up with an updated version of the OpenSSL> Later on Monday, Mumsnet, a leading British site for parents, announced that cybercriminals may have nabbed passwords and personal information from a number of its 1.5 million registered users. Founder Justine Roberts told the BBC that the breach became obvious when her own username and password were used to post a message online. She said the hackers even notified site administrators that the attack was connected to the bug. BBC reported that the site sent out an e-mail to its members, stating:
We have no way knowing which Mumsnetters were affected by this. … The worst case scenario is that the data of every Mumsnet user account was accessed. … It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone’s account being used for anything other than to flag up the security breach, thus far.
The Heartbleed bug went public last week after Google and a small Finnish security firm, Codenomicon, reported that they had discovered a flaw in OpenSSL that essentially made access to servers’ memories available to outsiders. That’s when the public learned that hackers could potentially access unencrypted data, including people’s personal information, from systems using vulnerable versions of the software.
Some experts said more attacks like this week’s are likely to follow. The Washington Post’s Brian Fung reported that an open challenge for hackers organized by Internet security company CloudFlare suggested that hackers could even use the bug to create fake sites posing as real ones to trick users into giving up their personal information. It’s an issue the company once contended would be nearly impossible.
But old-school hackers will likely stick with time-tested tools such as compromising accounts of system administrators or accessing databases using a method called “SQL injection,” Internet security expert Dan Kaminsky told Reuters.
As a result, experts say it’s difficult to know whether Heartbleed will lead to an increase in cyberattacks.