Although Heartbleed has been patched out of most websites in the last week following the revelations that OpenSSL had a bug that allowed anyone to steal information from websites, most companies have not yet reported if their information was compromised or not, as Heartbleed leaves no trace of its intrusion. However, two websites have since come forward after patching the bug and revealed that they have detected unauthorised access to their servers and services and that user information had been stolen. Neither of these sites are based in South Africa, but the way the attacks were carried out is very interesting.
The first attack was confirmed by the Canadian Revenue Agency (CRA), whose online portal allows Canadians to fill in their tax returns online as well as access other benefits tied to their social security number. When the Heartbleed bug was discovered the agency’s site was immediately taken down, but not before it was discovered that the bug had been used to steal user account information that allowed attackers into the system.
According to a spokesperson for the company, some 900 social security numbers had been stolen in the course of a six-hour period in which the server had been hijacked without their knowledge. In addition, information relating to businesses was also stolen, but the agency declined to go into detail about the information stolen. The CRA is currently in the process of contacting the people affected by the attack to warn them of potential social engineering attacks that may be carried out on them later.
A UK-based parenting website, Mumsnet, has also revealed how it was affected by the bug. Mumsnet told reporters at the BBC that attackers used the bug to sniff packet information relating to usernames and passwords and gained access to administrator accounts for the website’s forums very easily. The site has urged all users to change their passwords and also noted that with the bug patched out, future attacks using Heartbleed would not work.
Interestingly, both websites noted that they had never been affected by the bug before its discovery, which leads me to believe that there was simply not enough time for hackers to use it to their advantage to steal critical information from most sites and services that have been affected previously.
Still, if you have ever used any of the sites that have been affected or were known to have the vulnerability exposed in the past, I highly recommend that people follow the tips in a post I made detailing the bug and at the very least change passwords for their social networks and enable two-factor authentication for their online mail services – that’s basic, good security practice.