The Inquirer-Home

Heartbleed hits Mumsnet and the Canadian taxman

Mixed emotions on this one
Tue Apr 15 2014, 09:29

heartbleed bugTWO WEBSITES have come forward and claimed they were victims of Heartbleed - Mumsnet, a website for mothers, and the Canada Revenue Agency.

Mumsnet is in the UK, and is a very popular website among mothers that has over 1.5 million members. Heartbleed, which we explain in the video below, has claimed the website as one of its first victims.

Yesterday in a note on its website it confessed that it was affected and admitted to having been attacked. It said that it shored up its systems and invalidated all existing passwords, and advised that all users change their passwords immediately.

"Following the recent Heartbleed security breach, we reset all users' passwords on Saturday 12 April. If you've not reset your password, you need to do so now," it said.

The good news is you that will not be changing your passwords just to carry on using a website that is vulnerable, and Mumsnet said that it sorted out the OpenSSL software at the end of last week.

"On Thursday 10 April we at MNHQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole (known as the Heartbleed patch)," it said in a longer explanatory statement. "However, it seems that users' data was accessed prior to our applying this fix."

This scorched password reset has not gone totally smoothly, according to another statement at Mumsnet. That addition apologised for the slow delivery of password change emails and a sluggish system. Ultimately, said Mumsnet, no one can guarantee that even with a patch, data is safe.

Somewhere that you might hope data remains safe and private is the tax office, but the Canadian one apparently is about as tight as a string vest.

Commissioner Andrew Treusch said that while systems have been patched at the Canada Revenue Agency (CRA), some damage had already been done.

"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," he wrote.

"Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analysing other fragments of data, some that may relate to businesses, that were also removed."

The Heartbleed bug was only revealed this month, but has sent shockwaves through the internet and the computer industry. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015