Heartbleed May Have Led to Compromises at Mumsnet and Canada Revenue Agency

Heartbleed threatens to expose masses of usernames and passwords and other sensitive information worldwide thanks to a mistake in OpenSSL
Heartbleed threatens to expose masses of usernames and passwords and other sensitive information worldwide thanks to a mistake in OpenSSL

Heartbleed threatens to expose masses of usernames and passwords and other sensitive information worldwide thanks to a mistake in OpenSSL. The Canada Revenue Agency has announced that 900 social insurance numbers had been stolen; in Mumsnet’s case, the compromise could affect all of its 1.5 million registered members.

"On Friday 11 April, it became apparent that what is widely known as the Heartbleed bug had been used to access data from Mumsnet users' accounts," the company said in an email to its members, reported by the BBC. "We have no way of knowing which Mumsnetters were affected by this. The worst case scenario is that the data of every Mumsnet user account was accessed.”

Mumsnet founder Justine Roberts told the BBC that her own credentials were used by hackers to post a message online, thus alerting her to the issue.

"It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone's account being used for anything other than to flag up the security breach, thus far,” the company said in its mail.

In Canada, the tax agency took the website down as soon as it became aware that it was vulnerable to Heartbleed, but not before hackers were able to lift information during a six-hour window.

“Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” it said in a statement. “Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”

One thing’s for certain – these are not the first nor the last high-profile compromises to stem from Heartbleed.

"To no real shock, the Heartbleed vulnerability continues to make news headlines,” said Fred Kost, vice president of security solutions at Ixia, in an email. “Since the initial news of Heartbleed last week, the big question that remained was around the ease of exploiting this vulnerability. With the latest news, the Heartbleed vulnerability went from being theoretical to very real, as attackers have been able to extract a private key from memory, further putting 1.5 million users at risk.”

To protect themselves from becoming the next victim, enterprises should first deploy the patch for the vulnerability, and then begin changing all private keys and passwords to help protect against man-in-the middle attacks.

“This is a very dangerous vulnerability in a widely deployed SSL implementation and when a hacker steals the organization’s private key, this type of infiltration is not easily detected,” said Kost. “Although this can be a complex process and will take organizations a while to complete, not as simple as just applying the patch, organizations can move in the right direction by taking action now."

What’s Hot on Infosecurity Magazine?