Skip to main content

First confirmed Heartbleed exploitation hits Mumsnet and Canadian Revenue Agency

We've been hearing a hell of a lot about the Heartbleed bug over the past week or so, but despite the scope of the flaw, no details of any actual compromised data have emerged – until now, that is.

The first reported leveraging of Heartbleed by the bad guys has hit the UK parental advice site Mumsnet, and more worryingly the Canadian tax agency (more worrying for Canada, certainly).

Mumsnet believes it has had data stolen which may have contained passwords and personal messages pertaining to its 1.5 million members – though it has now patched against the vulnerability, and is forcing a post-patch password reset for users, just to be safe.

According to the BBC, Mumsnet sent an email to all its members advising them of the security breach. It read: "On Friday 11 April, it became apparent that what is widely known as the Heartbleed bug had been used to access data from Mumsnet users' accounts. We have no way of knowing which Mumsnetters were affected by this."

"The worst case scenario is that the data of every Mumsnet user account was accessed."

However, the site noted that no one has reported, and they haven't found any evidence to indicate the malicious usage of any account – which isn't to say that this hasn't happened, of course.

As for the Canadian Revenue Agency, it has said that 900 social insurance numbers have been pilfered by cyber-criminals.

The agency also noted that other data had been stolen: "We are currently going through the painstaking process of analysing other fragments of data, some that may relate to businesses, that were also removed."

So potentially the SI numbers are the tip of the proverbial iceberg – and indeed these two incidents are likely the same in terms of the overall Heartbleed picture. Expect more admissions of data theft in the pipeline; part of the problem with Heartbleed is that it's very difficult to spot an intrusion, or pin down exactly what's been taken.

Mumsnet also copped some flak for sending out an email with a link for the password reset – this is bad practice given the phishing emails which will be flying around trying to exploit the Heartbleed debacle in their own way, as we noted in an article yesterday (see: Watch out for phishing emails concerning Heartbleed password resets). Always go directly to the site in question to change account details – never use a link from an email just to save a few seconds.

For more on the dangerous bug, check out our feature entitled Heartbleed and your passwords: An in-depth guide to what action you should take.