April 14, 2014 7:19 pm

‘Heartbleed’ steals social security and mums’ messages

The first evidence of cyber thefts as a result of the “Heartbleed” bug has emerged with social insurance numbers stolen from the Canadian tax authority and passwords and private messages accessed from the UK site Mumsnet.

The Canada Revenue Agency has said cyber criminals have stolen the social insurance numbers of about 900 taxpayers, using the vulnerability in a security software which affected about two-thirds of all websites. Mumsnet, a popular UK website for parents, warned users’ data had been accessed before it fixed the hole.

Hackers are pouncing on sites which have yet to update their software as the Heartbleed flaw announced last week allows them to access private data stored in a computer’s short-term memory.

Large technology companies including Google and Facebook rushed to secure their sites but many smaller companies and organisations may still be vulnerable.

The Canadian tax authority has so far been the only government organisation to shut down its online services for fear that taxpayers filing confidential information could become victims of attack.

Andrew Treusch, commissioner of the CRA, said while the service is back up and running, they have evidence that cyber criminals exploited the vulnerability while they were trying to fix it.

“Regrettably, the CRA has been notified by the government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” he said. “Based on our analysis to date, social insurance numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability.”

Mr Treusch added that the agency was still analysing what else could have been removed and that some of the data could relate to businesses rather than individual taxpayers.

Mumsnet, which is in the top 400 sites in the UK according to analytics company Alexa, called on all users to change their passwords after it was accessed by hackers. Justine Roberts, founder and chief executive of Mumsnet, said it was not clear what the hacker had access to but it could have included usernames, emails, passwords, posting history, personal messages and a personal profile.

Mumsnet is not an obvious target because it does not deal in financial or confidential information but, as people often use the same passwords for several sites, hackers may have wanted to get the information to use on other sites.

“We have no way of knowing which Mumsnetters were affected by this. The worst case scenario is that the data of every Mumsnet user account was accessed,” she said. “That’s why we’ve required every user to reset their password.”

The “Heartbleed” bug is one of the biggest vulnerabilities ever found, because it is in a very commonly used security software and had been open for two years. US regulators have warned banks to take steps to protect themselves.

Related Topics

Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.


Sign up for email briefings to stay up to date on topics you are interested in