Skip to main content

Heartbleed bug was potentially exploited months before being widely publicised

You can't have missed the major furore over Heartbleed which kicked off earlier this week when the knowledge of the bug was made public.

Heartbleed is a vulnerability in the OpenSSL encryption standard, and it's been present since March 2012, when a sloppy piece of coding was introduced to the open source project.

This encryption is the standard used by "https" websites, usually sites which truck in sensitive data and hence need the security – but this flaw has been an open wound in their side through which attackers could potentially extract all manner of data (from passwords to encryption keys and potentially even financial details like credit card numbers).

The question is, before knowledge of all this went public, how many cyber-ne'er-do-wells were exploiting this vulnerability for the past months, or even years.

Ars Technica reports that there are definite signs the issue has been exploited for some time now. Ales Teska, from security firm, told Ars that his company's service was acting as a sort of "honeypot" for attacks (though it wasn't actually vulnerable), and they recorded potential attacks since 24 March. We say "potential" because this hasn't been fully confirmed, and the observed attacks could have been false positives – see this blog post for more details.

Ars also heard from Terrence Koeman of MediaMonks, who said he had evidence of the attempted leverage of the exploit on his server logs which dated back to November 2013.

This whole affair is extremely worrying, and has led to calls for everyone to go through resetting their passwords across the board – it's that serious. If you're concerned – and you should be – we answer all the major questions about Heartbleed in this article: How worried should you be about the Heartbleed bug?