Digging Through The Hype: Has Heartbleed Actually Harmed Anyone?

Chris Hoffman 24-04-2014

The Heartbleed bug Heartbleed – What Can You Do To Stay Safe? Read More has been the subject of much hand-wringing and has been called one of the most serious computer security breaches of all time Massive Bug in OpenSSL Puts Much of Internet At Risk If you're one of those people who've always believed that open source cryptography is the most secure way to communicate online, you're in for a bit of a surprise. Read More . But some people aren’t convinced — after all, who has Heartbleed actually harmed? Well, there have been several reported attacks of Heartbleed being used to do real harm. If you think Heartbleed is all hype, think again.


900 SINs Stolen From the Canadian Revenue Agency

In Canada, an attacker used the Heartbleed bug against the Canadian Revenue Agency, capturing about 900 social insurance numbers (SINs) belonging to people filing their income taxes. This is basically the Canadian equivalent to an attacker capturing social security numbers (SSNs) from the IRS in the USA. Some data related to Canadian businesses was also stolen.

The attacker was arrested for capturing these numbers, but we don’t know if the attacker sold the SINs or passed them along to someone else. Like social security numbers in the USA, these numbers are generally not changeable — they can only be changed if you prove you’ve been a victim of fraud. Affected taxpayers will have to subscribe to a credit monitoring service and keep track of people attempting to open bank accounts and credit cards in their name. Identity theft 6 Warning Signs Of Digital Identity Theft You Shouldn't Ignore Identity theft isn't too rare of an occurrence these days, yet we often fall into the trap of thinking that it'll always happen to "someone else". Don't ignore the warning signs. Read More is a serious concern here.


Mumsnet and Other Password Thefts

Mumsnet recently announced it is forcing all users to change their passwords. This wasn’t just a preventative measure — Mumsnet had reason to believe that attackers had gained access to the passwords and private messages belonging to up to 1.5 million users.

This is probably not the only website that’s had sensitive passwords stolen from it. If people are making the big mistake of reusing the same password on multiple websites Password Management Guide Don't feel overwhelmed by passwords, or simply use the same one on every site just so you'll remember them: design your own password management strategy. Read More , an attacker can get into other accounts. For example, if someone is using the same password for both their Mumsnet account and the email account tied to their Mumsnet account, the attacker can get into that email account. From there, the attacker can reset other passwords and get into other accounts


If you received an email from a service advising you to change your password and ensure you’re not using the same password elsewhere, it’s possible that service had its passwords stolen — or may have had its passwords stolen and isn’t sure.


VPN Hijacking and Private Key Thefts

Security company Mandiant announced that attackers used Heartbleed to breach an internal corporate VPN, or virtual private network, belonging to one of their clients. The VPN was using multifactor authentication What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More , but that didn’t matter – – the attacker was able to steal private encryption keys from a VPN appliance with the Heartbleed attack and was then able to hijack activate VPN sessions.

We don’t know what corporation was attacked here — Mandiant just announced that it was a “major corporation.” Attacks like this one could be used to steal sensitive corporate data or infect internal corporate networks. If corporations don’t ensure their networks aren’t vulnerable to Heartbleed, their security can easily be bypassed.


The only reason we’re hearing about this is because Mandiant wants to encourage people to secure their VPN servers The Best VPN Services We've compiled a list of what we consider to be the best Virtual Private Network (VPN) service providers, grouped by premium, free, and torrent-friendly. Read More . We don’t know what corporation was attacked here because corporations don’t want to announce they’ve been compromised.

This isn’t the only confirmed case of Heartbleed being used to steal a private encryption key from a running server’s memory. CloudFlare doubted that Heartbleed could be used to steal private encryption keys and issued a challenge — try to get the private encryption key from our server if you can.  Several people obtained the private key within a single day.

vpn router

State Surveillance Agencies

Controversially, the Heartbleed bug could have been discovered and exploited by state surveillance and intelligence agencies before it became public knowledge. Bloomberg reported that the NSA has exploited Heartbleed for at least two years. The NSA and White House denied this, but director of national intelligence James Clapper did famously say the NSA did not collect any data on millions of Americans before the NSA’s surveillance activities became known, something we now know is not true What Is PRISM? Everything You Need to Know The National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the... Read More . We also know that the NSA stockpiles security vulnerabilities for use against surveillance targets rather than reporting them so they can be fixed.


The NSA aside, there are other state surveillance agencies in the world. It’s possible that another country’s state surveillance agency discovered this bug and was using it against surveillance targets, possibly even US-based corporations and government agencies. We can’t know anything for sure here, but it’s very possible that Heartbleed has been used for espionage activities before it was publicly disclosed — it certainly will be used for these purposes now that it’s public knowledge!

We Just Don’t Know

We just don’t know how much damage Heartbleed has done yet. Businesses that end up with breaches thanks to Heartbleed will often want to avoid making any embarrassing announcements that could hurt their business or damage their stock prices. It’s generally easier to deal with the problem internally rather than letting the world know.

In many other cases, services won’t know they’ve been bitten by Heartbleed. Thanks to the type of request the Heartbleed vulnerability uses, Heartbleed attacks won’t show up in many server logs. It will still appear in network traffic logs if you know what to look for, but not every organization knows what to look for.


It’s also possible that the Heartbleed bug has been exploited in the past, before it became public knowledge. It’s possible that cybercriminals or — more likely — state surveillance agencies discovered the bug and have been using it. The examples here are just a snapshot of the few things we know.

The hype is justified — it’s important we get services and devices up-to-date as quickly as possible to help reduce the damage and avoid worse attacks in the future.

Image Credit: snoopsmas on Flickr, ChrisDag on Flickr

Related topics: Online Security, SSL.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Guy Fuller
    May 17, 2014 at 2:37 pm

    Hacked sites data will be kept snuggly on the criminals servers and will dole out the data tot he g=highest bidders. In other words its a ticking time bomb...

  2. Caroline W
    April 27, 2014 at 6:05 pm

    I'm just an average person and it still freaked me out. I installed Lookouts Heartbleed checker for Android and luckily my apps were fine - thank god for security companies like Lookout for acting as quickly as they did. Lastpass, again got right on it too and advised me which passwords needed changing. It has been a pain in the rear to change so many passwords but to keep myself secure was the most important. I use Bit Defenders SafePay browser for my banking and as Lastpass doesn't have the passwords for it, as I don't even 100% trust them with such sensitive data, I've just now thought I'd better get them changed too. This is scary and if it's happened once, I'm sure it will happen again. Let's hope the Internet worldwide can learn from this attack and make things even more secure; maybe this was a necessary wakeup call?