The Heartbleed flaw has claimed its first big-name victim with the hugely popular British Mumsnet site admitting that cyber-thieves have exploited the bug to compromise an unknown number of if its 1.5 million user accounts.
It’s the email that every online firm must dread writing but in Mumsnet’s case it has come to pass through no obvious fault of their own.
“On Friday 11 April, it became apparent that what is widely known as the Heartbleed bug had been used to access data from Mumsnet users’ accounts,” the site’s co-founder, Justine Roberts, told its members in an email.
The site said it had no way of knowing the extent of the breach but in “the worst case scenario is that the data of every Mumsnet user account was accessed.”
As if to underline the seriousness of the hack, the site has since imposed a mandatory password reset, an almost unheard of reaction that goes well beyond simply advising that users change their logins.
‘It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone’s account being used for anything other than to flag up the security breach, thus far.”
Small comfort but at least the breach brings home the potential seriousness of the Heartbleed SSL vulnerability in practical terms. Until now, the deeper consequences of Heartbleed have been left to technical users and security experts to debate.
“We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members’ security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known,” Mumsnet said in its password reeset instructions.
Earlier, the Canadian Revenue Agency said that 900 people had suffered a breach of their social security numbers , the only other confirmed breach caused by the flaw.
The Heartbleed vulnerability was a bad week for software security and the people who make it. Even if the NSA really didn’t know about the issue paranoia now reigns; it has even been suggested that the security researcher who inadvertently introduced the error into OpenSSL, Robin Seggelmann, was somehow directed to do so by the NSA. Given his candour, this seems highly unlikely.