Two high-profile organisations, the UK parenting site Mumsnet and the Canada Revenue Agency (CRA), are the first known victims of the Heartbleed OpenSSL vulnerability to experience data breaches.
Make that a “maybe” in the case of Mumsnet.
Something hit the site, but site administrators aren’t quite sure what. They’re thinking it was Heartbleed because that’s what the intruder said it was.
After being notified of the vulnerability on Wednesday, administrators checked, found the site was indeed vulnerable to the buffer overflow bug, and patched it the same day.
But on Friday, it became clear that user data was at risk when Mumsnet founder Justine Roberts’s own username and password were used to post a message online.
The hacker(s) apparently wasn’t malicious, Roberts told the BBC.
In fact, the intruder contacted the site to let it know it was vulnerable to Heartbleed.
As you can see in this Mumsnet thread, multiple users with the same login apparently were posting, turning it into a nonfunny Shakespearean comedy of mixed identities.
Quite how Roberts’s password was acquired and abused is not clear, but the site says that intruders could have logged in using stolen credentials and gained access to members’ posting history, personal messages and personal profiles.
The good news, at least so far, is that there’s been no evidence of anyone’s account being used for anything other than to flag the site about the security breach.
Mumsnet on Monday posted a statement about their mass password reset, which affects about 1.5 million registered members.
Mumsnet said that users will have to change any password chosen before 5:45 pm on Saturday, 12 April, 2014.
As for the Canadian breach, the Canada Revenue Agency has announced that 900 social insurance numbers (SINs) were stolen by hackers exploiting Heartbleed over a six-hour period.
The CRA removed public access to its online services as of Thursday.
The agency is sending registered letters to those affected in the breach, is providing them with free credit protection services, and has set up an 800 number to provide further information.
The CRA emphasized that it won’t be calling or emailing individuals to inform them of the breach, so if any calls or emails come in about the breach from somebody claiming to the tax officials, you can be sure it’s fraudsters up to no good.
In fact, to echo a plea put out by Naked Security’s Paul Ducklin, to those who are sending out “heartbleed” password reset emails, we urge you to please avoid including those login links.
The CRA became aware of the breach while repairing Heartbleed.
As Naked Security’s Chester Wisniewski told CBC [podcast], the breach could have just been people horsing around, as opposed to hardened criminals trying to get SINs.
But we’ve got to take it seriously, he said, given that a SIN is a necessary component for identity theft. With a SIN, a birth date, a name, a former address or current postal code, a thief has all they need to carry out identity theft – typically, in the form of financial fraud such as applying for loans or credit cards.
How do we, as individuals, protect ourselves?
Stay vigilant, Chester recommends. Those affected by the CRA breach should take advantage of the free credit reporting, just as we all should whenever offered the opportunity.
It’s also a good idea to get your free credit report every year, whether you’re on the list of 900 or not, and whether you’re in Canada, the US or other countries that offer the free reports.
How long will we be seeing fallout from Heartbleed?
Chester predicts the misery could continue for 3 to 5 years. The first wave was web servers and online services, which rushed to patch after news of Heartbleed broke last week, as they worked to keep things like user passwords and SINs from getting bled out.
Now, we can anticipate the second wave, which could include exploitation of code in things such as older mobile phones, including Androids.
As was the case at Mumsnet, though, it will be hard to finger Heartbleed specifically, so expect finger-pointing and speculation, he said.
After all, most sites don’t have the technical sophistication of the CRA and aren’t going to be able to easily pin down the vulnerability as the definitive cause of future breaches.
As individuals, we should change passwords if notified to do so by sites we do business with.
But beware: Sophos has already seen fraudsters sending fake notification links, trying to lure people into heading over to a boobytrapped site that will intercept passwords.
Chester also recommends keeping an eye on your online accounts. If a site such as Facebook tells you that you last logged in from Latvia, non-Latvian-residents should think about changing their passwords.
The CRA has reopened to allow returns and has extended its deadline to May 5 to make up for time lost.