NAG Online > News > Websites begin to report info stolen through Heartbleed

Websites begin to report info stolen through Heartbleed

heartbleed bud

Although Heartbleed has been patched out of most websites in the last week following the revelations that OpenSSL had a bug that allowed anyone to steal information from websites, most companies have not yet reported if their information was compromised or not, as Heartbleed leaves no trace of its intrusion. However, two websites have since come forward after patching the bug and revealed that they have detected unauthorised access to their servers and services and that user information had been stolen. Neither of these sites are based in South Africa, but the way the attacks were carried out is very interesting.

The first attack was confirmed by the Canadian Revenue Agency (CRA), whose online portal allows Canadians to fill in their tax returns online as well as access other benefits tied to their social security number. When the Heartbleed bug was discovered the agency’s site was immediately taken down, but not before it was discovered that the bug had been used to steal user account information that allowed attackers into the system.

According to a spokesperson for the company, some 900 social security numbers had been stolen in the course of a six-hour period in which the server had been hijacked without their knowledge. In addition, information relating to businesses was also stolen, but the agency declined to go into detail about the information stolen. The CRA is currently in the process of contacting the people affected by the attack to warn them of potential social engineering attacks that may be carried out on them later.

A UK-based parenting website, Mumsnet, has also revealed how it was affected by the bug. Mumsnet told reporters at the BBC that attackers used the bug to sniff packet information relating to usernames and passwords and gained access to administrator accounts for the website’s forums very easily. The site has urged all users to change their passwords and also noted that with the bug patched out, future attacks using Heartbleed would not work.

Interestingly, both websites noted that they had never been affected by the bug before its discovery, which leads me to believe that there was simply not enough time for hackers to use it to their advantage to steal critical information from most sites and services that have been affected previously.

Still, if you have ever used any of the sites that have been affected or were known to have the vulnerability exposed in the past, I highly recommend that people follow the tips in a post I made detailing the bug and at the very least change passwords for their social networks and enable two-factor authentication for their online mail services – that’s basic, good security practice.

Sources: Canadian Revenue Agency, BBC News

Tags:  ,
  • XCal11bur

    I’ve really been hamstrung by this thing. A few days ago when all this happened I lost contact with several SSL sites or https sites (All give the error invalid certificate do you wish to continue at your risk, but thing is it doesn’t do anything but show me that screen.) I don’t have problems with my email sites, facebook or a lot of other sites that doesn’t use https. I do have problems with twitter and IGN , I can’t even get to the log in page. Neither can I get onto digicert’s utility page.

    So with tears in my eyes I’m asking how I can sort this out that I can visit SSL sites again. (Is there a way on Google chrome to get the fixed certificates or something?)

    On a side note, alongside this at times a cerficate asks my permission to install it, or it had asked me a couple of times, but I was unsure so I said no. (While researching it, most sites seems to think it is ligit, but I’ve never had to install a certificate before. So I’m confused.)

    • Alex Rowley

      You could try using Firefox as a web browser. I had this problem on my phone because it uses Google chrome as well but that resolved itself in like a day.

      I would suggest using Google to find a way to add exceptions as I when I had this problem I tried to find a solution and there were quite a few tutorials that explained how to do this, I couldn’t use them though because none of them were for the mobile version of chrome. Also silly question but is your Chrome up to date? Always a good thing to check.

    • Alex Rowley

      as for the here’s an explanation for that

    • Wesley Fick

      I can confirm that I’m on the latest version of Chrome and I’ve not encountered the same issues. Firefox mostly ignores minor errors like that and I haven’t been asked to update certificates. What DNS servers are you using? Is the date and time on your rig set properly?


Login / Search

Latest games

Latest opinions


Related posts