It's Heartbleed's first blood: two cyber-break-ins have been identified. One attack was at the Canadian tax agency and the other at a U.K. parenting website, which were allegedly accomplished using the Heartbleed bug, a flaw in a type of online encryption.
The two cases appear to be unrelated, but in both instances snoops seemingly used the now-infamous flaw in OpenSSL, an online encryption software, to access the sites' databases. In at least one of the breaches the hackers stole hundreds of users' personal information.
Up until now, no one had found evidence that this devastating bug had been exploited for criminal purposes, despite the fact that up to two thirds of the Internet was reportedly left vulnerable. The vulnerability is partially because using the bug to capture a server's data doesn't leave a record in the server's logs.
When the Heartbleed bug was exposed last week (Apr. 8) the Canada Revenue Agency (CRA) immediately took its website down in order to start patching the flaw. But apparently it wasn't enough — according to a post by CRA commissioner Andrew Treusch, someone still managed to breach the CRA database. During the course of a 6-hour period those persons acquired 900 social insurance numbers (Canadian SSNs) by exploiting the Heartbleed bug.
Treusch said that the snoops also acquired additional data, "some that may relate to businesses," but did not elaborate. An investigation is still underway. Meanwhile the CRA has patched Heartbleed and its website is back online. To help citizens affected by the delay, the deadline to file Canadian tax returns has been pushed back from Apr. 30 to May 5, according to Canadian news site CBC.
Meanwhile, Teusch says everyone affected in this breach will receive a confirmation letter containing directions for how to secure social insurance numbers. Teusch also warns people to beware Heartbleed-based phishing attempts, or official-seeming emails that appear to alert recipients of a Heartbleed attack but are really designed to trick people into divulging personal information.
Around the same time as the Canadian attack was taking place, a UK parenting website called Mumsnet also experienced an unwanted infiltration. Site founder Justine Roberts told the BBC that she was first alerted to the breach when someone made a post on the site using her own username. The infiltrator claimed to have used Heartbleed to access Roberts' account.
Mumsnet is requiring its users to change their passwords, as it's unclear if the ne'er-do-wells took any account information during the breach.
Both the CRA and Mumsnet breaches appear to have been planned and executed only after the Heartbleed Bug was made public on Apr. 7 by Codenomicon. So far no one has been able to find evidence that Heartbleed was exploited before that time.
However, Bloomberg News reported that the National Security Agency (NSA) knew about the bug almost as soon as the flawed OpenSSL software went live. According to two anonymous sources, the NSA intentionally kept the flaw now known as Heartbleed a secret, and used it to gather intelligence data.