First Heartbleed-Based Cyberattacks Discovered

It's Heartbleed's first blood: two cyber-break-ins have been identified. One attack was at the Canadian tax agency and the other at a U.K. parenting website, which were allegedly accomplished using the Heartbleed bug, a flaw in a type of online encryption.

The two cases appear to be unrelated, but in both instances snoops seemingly used the now-infamous flaw in OpenSSL, an online encryption software, to access the sites' databases. In at least one of the breaches the hackers stole hundreds of users' personal information.

MORE: Heartbleed: Who Was Affected, What to Do Now

Up until now, no one had found evidence that this devastating bug had been exploited for criminal purposes, despite the fact that up to two thirds of the Internet was reportedly left vulnerable. The vulnerability is partially because using the bug to capture a server's data doesn't leave a record in the server's logs.

When the Heartbleed bug was exposed last week (Apr. 8) the Canada Revenue Agency (CRA) immediately took its website down in order to start patching the flaw. But apparently it wasn't enough — according to a post by CRA commissioner Andrew Treusch, someone still managed to breach the CRA database. During the course of a 6-hour period those persons acquired 900 social insurance numbers (Canadian SSNs) by exploiting the Heartbleed bug.

Treusch said that the snoops also acquired additional data, "some that may relate to businesses," but did not elaborate. An investigation is still underway. Meanwhile the CRA has patched Heartbleed and its website is back online. To help citizens affected by the delay, the deadline to file Canadian tax returns has been pushed back from Apr. 30 to May 5, according to Canadian news site CBC.

Meanwhile, Teusch says everyone affected in this breach will receive a confirmation letter containing directions for how to secure social insurance numbers. Teusch also warns people to beware Heartbleed-based phishing attempts, or official-seeming emails that appear to alert recipients of a Heartbleed attack but are really designed to trick people into divulging personal information.

Around the same time as the Canadian attack was taking place, a UK parenting website called Mumsnet also experienced an unwanted infiltration. Site founder Justine Roberts told the BBC that she was first alerted to the breach when someone made a post on the site using her own username. The infiltrator claimed to have used Heartbleed to access Roberts' account. 

Mumsnet is requiring its users to change their passwords, as it's unclear if the ne'er-do-wells took any account information during the breach.

Both the CRA and Mumsnet breaches appear to have been planned and executed only after the Heartbleed Bug was made public on Apr. 7 by Codenomicon. So far no one has been able to find evidence that Heartbleed was exploited before that time.

However, Bloomberg News reported that the National Security Agency (NSA) knew about the bug almost as soon as the flawed OpenSSL software went live. According to two anonymous sources, the NSA intentionally kept the flaw now known as Heartbleed a secret, and used it to gather intelligence data.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us@TomsGuide, on Facebook and on Google+

TOPICS

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
  • ddpruitt
    So far no one has been able to find evidence that Heartbleed was exploited before that time

    That's because it's not possible to detect attacks that happened in the past in this case. As has been said over and over ad nauseam this attach leaves no traces.
    Reply
  • josejones
    Sooo, how do we get rid of it?
    Reply
  • bmerigan
    The second case - she doesn't know that's how they got her login details - it's a huge assumption. She more likely uses her childs name as her password.
    Reply
  • AndrewJacksonZA
    She more likely uses her childs name as her password.
    Lol. That's a bit harsh.
    Reply
  • rwinches
    To be clear only sites using openSSL were vulnerable.
    So sites like Amazon and your bank were not vulnerable.

    As with many of these astounding discoveries, just because it could be used does not mean it was.
    Reply