First “Heartbleed Attack” makes wave

In the past couple of weeks you’ve probably received emails, Facebook posts, or tweets warning about the Heartbleed virus, but have there actually been any victims? Supposedly, Heartbleed has a knack for stealing credit card information, usernames, and passwords, making it a particularly nasty virus.

The news swept the globe, raising general anxiety, putting IT engineers on full alert, and causing everyone to search desperately for patches. Millions of people around the world set new passwords, but there weren’t any reports of accounts being hacked until April 16, many days after the first warnings went out.

Canadian police reportedly arrested someone who used Heartbleed to lift data from the country’s tax website. The Canada Revenue Agency (CRA), which is the Canadian equivalent of the IRS, was hacked during an epic six-hour time frame. Someone used Heartbleed to snatch the social insurance numbers for about 900 people, as well as other sensitive data.

Andrew Treusch, CRA commissioner, said, “The CRA worked around the clock to implement a patch for the bug, vigorously test all systems to ensure they were safe and secure, and re-launch our online services. The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls.”

This should serve as an object lesson about why you should study the legal information supplied by your VPN and pretty much anything that’s tech related.

Who’s behind the attack

A 19-year-old from Ontario, Stephen Solis-Reyes, was arrested and his computer seized. Reuters reported that he’s “associated with the attack,” and will likely face criminal charges, including the unauthorized use of technology as well as “mischief.”

According to a statement by the Royal Canadian Mounted Police, “It is believed that Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug.”

Just one week before, panic had spread as rumors about Heartbleed became widespread, and numerous organizations and corporations sent mass emailings to their customers with warnings. They speculated that your personal data could easily be stolen, yet we heard nothing but crickets until the news from Canada.

A slow infection

Reuters reported that an estimated 500,000 websites, including Facebook and Google, may have been infiltrated by the rogue program, yet nobody aside from the CRA has come forward with a substantive complaint about Heartbleed. Among the other big names allegedly infected was Yahoo!.

Web analysts believe that although the CRA is the first to confirm itself a victim of the attacks, it surely won’t be the last. Solis-Reyes will make his first court appearance on July 17. It’s probable that a number of other victims will have come forward by then.

When sensitive information is stolen, the victims often don’t become aware it’s happened until weeks or months later. They learn the unhappy news when odd charges turn up on a bill, a credit card is declined, or they find something sketchy on a credit report when they apply for a loan.

This isn’t a common occurrence for many, and thieves could spend several weeks racking up bills in your name before it comes to your attention. Changing your password is only the first step in the process; you also need to follow your credit report to ensure there’s nothing shady going on.