• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

5

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

It's Heartbleed's first blood: two cyber-break-ins have been identified. One attack was at the Canadian tax agency and the other at a U.K. parenting website, which were allegedly accomplished using the Heartbleed bug, a flaw in a type of online encryption.

The two cases appear to be unrelated, but in both instances snoops seemingly used the now-infamous flaw in OpenSSL, an online encryption software, to access the sites' databases. In at least one of the breaches the hackers stole hundreds of users' personal information.

MORE: Heartbleed: Who Was Affected, What to Do Now

Up until now, no one had found evidence that this devastating bug had been exploited for criminal purposes, despite the fact that up to two thirds of the Internet was reportedly left vulnerable. The vulnerability is partially because using the bug to capture a server's data doesn't leave a record in the server's logs.

When the Heartbleed bug was exposed last week (Apr. 8) the Canada Revenue Agency (CRA) immediately took its website down in order to start patching the flaw. But apparently it wasn't enough — according to a post by CRA commissioner Andrew Treusch, someone still managed to breach the CRA database. During the course of a 6-hour period those persons acquired 900 social insurance numbers (Canadian SSNs) by exploiting the Heartbleed bug.

Treusch said that the snoops also acquired additional data, "some that may relate to businesses," but did not elaborate. An investigation is still underway. Meanwhile the CRA has patched Heartbleed and its website is back online. To help citizens affected by the delay, the deadline to file Canadian tax returns has been pushed back from Apr. 30 to May 5, according to Canadian news site CBC.

Meanwhile, Teusch says everyone affected in this breach will receive a confirmation letter containing directions for how to secure social insurance numbers. Teusch also warns people to beware Heartbleed-based phishing attempts, or official-seeming emails that appear to alert recipients of a Heartbleed attack but are really designed to trick people into divulging personal information.

Around the same time as the Canadian attack was taking place, a UK parenting website called Mumsnet also experienced an unwanted infiltration. Site founder Justine Roberts told the BBC that she was first alerted to the breach when someone made a post on the site using her own username. The infiltrator claimed to have used Heartbleed to access Roberts' account. 

Mumsnet is requiring its users to change their passwords, as it's unclear if the ne'er-do-wells took any account information during the breach.

Both the CRA and Mumsnet breaches appear to have been planned and executed only after the Heartbleed Bug was made public on Apr. 7 by Codenomicon. So far no one has been able to find evidence that Heartbleed was exploited before that time.

However, Bloomberg News reported that the National Security Agency (NSA) knew about the bug almost as soon as the flawed OpenSSL software went live. According to two anonymous sources, the NSA intentionally kept the flaw now known as Heartbleed a secret, and used it to gather intelligence data.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us@TomsGuide, on Facebook and on Google+. 

• 13 Security and Privacy Tips for the Truly Paranoid
• 10 Simple Tips to Avoid Identity Theft
  
• 9 Tips to Stay Safe on Public Wi-Fi