Just a few days after the Canada Revenue Agency (CRA) blocked public access to its online services due to concerns over the Heartbleed bug, the agency has confirmed that prior to the preventive measure, an attacker exploited the bug and removed social insurance numbers of approximately 900 taxpayers from the agency's systems, according to a BBC report.
"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," the agency said. The Privacy Commissioner of Canada has been informed of the incident, and the Royal Canadian Mounted Police has started the investigation.
CRA commissioner Andrew Treusch said that the taxpayers who are affected by the breach will receive notification of the incident via registered letter rather than email, in order to avoid giving criminals a chance to exploit the situation, and will be given access to free credit protection services.
Aside from the CRA, the UK parenting site Mumsnet also announced that its data has been stolen by hackers exploiting the Heartbleed bug. Founder Justine Roberts told the BBC that the attackers could have made off with potentially all login details.
Roberts said she came to know about the attack after her own login credentials were compromised by the attackers, who then informed the website admins that the attack was related to Heartbleed. The website is now forcing all its members to reset any password created on or before Saturday.