The “Heartbleed” Web vulnerability has arguably been the most high-profile technical story to hit the news since Edward’s Snowden’s initial NSA revelations.
There has been much debate amongst the technical community as to exactly how serious the Heartbleed issue is. Everyone with even a modicum of Web knowledge seems to have an opinion, and these opinions seem to range from “unprecedented disaster” to “exaggerated media hype.”
Now, those who have erred towards the latter opinion are being forced to sit up and take notice as reports of the first real-life security breaches begin to emerge.
It’s now been revealed that Heartbleed has been exploited to steal data from both the popular Mumsnet website and the Canadian tax authority, the CRA.
Mumsnet has in excess of 1.5million users, and the site has now confirmed that hackers have been able to gain access to their passwords and personal details. Hackers informed Mumsnet of the breach after successfully posting on the site in the name of the Mumsnet founder.
Mumsnet have now instigated a forced password change when users log on, but members should be aware that that the hackers may well be in possession of their original email address and password login combination. If this same combination is in use on any other sites, even those confirmed as not being affected by Heartbleed, it would make good sense to change them immediately.
Unfortunately, even though people are widely encouraged to use a different username and password for every site, many people ignore this and repeatedly use the same password, making a breach such as this at an unrelated site a larger problem than it needs to be.
The Canada Revenue Agency
The Mumsnet breach involves many individuals, but is arguably less serious than the breach announced at the CRA. Mumsnet’s breach potentially allowed some access to basic personal details and gave hackers the ability to post forum posts as other people, but the CRA’s breach involved social insurance numbers and some other (as yet unspecified) “fragments of data.”
Thankfully, the CRA has stated that only around 900 citizens have been affected.
Once must assume that these first real-life examples of Heartbleed exploitation are just the start. The vulnerability has been out there for a long time, and other hackers are sure to have made use of it. Internet users should hope that those that have are ethical hackers and not those with malicious intent. If they are the latter, future news stories could prove a whole lot scarier.