Parenting site Mumsnet hacked due to Heartbleed

Hackers gain access to taxpayer data fromCanada revenue agency

File illustration picture of computer keyboard with letters stacked forming the word ‘password’ . Photograph: Kacper Pempel/Files/Reuters

File illustration picture of computer keyboard with letters stacked forming the word ‘password’ . Photograph: Kacper Pempel/Files/Reuters

Mon, Apr 14, 2014, 19:56

UK-based parenting tips website Mumsnet has been hacked as a result of the Heartbleed computer bug, the site’s founder has announced.

In a statement, founder Justine Roberts said: “Last week we became aware of the Heartbleed bug and immediately applied a fix to close the OpenSSL security hole. However, it became apparent that users’ data submitted via our login page had been accessed prior to our applying this fix.

“As a result, we decided to require all registered Mumsnet users to change their passwords. We have no way of knowing which or how many accounts were affected but have advised users to change passwords on other sites, particularly if they use the same password on Mumsnet as elsewhere.”

The Heartbleed bug is a breach in the encryption used to mask the sensitive data passed between computers and servers when users are online.

The breach has put details such as credit card accounts and passwords at risk.

The flaw was discovered a week ago, having gone undetected for more than two years.

Since then, major internet companies have been asking their users to reset passwords once a fix, or “patch”, has been installed to the site in question.

Mumsnet, which has more than one million members in the UK, is the first company in Britain to announce data loss, and the announcement comes just two days after a post on the site’s forum informed users that all passwords would be reset as a security measure.

Last week, blogging site Tumblr urged all users to change their passwords immediately to prevent personal and sensitive data being stolen.

The Institution of Engineering and Technology described the Heartbleed bug as a “serious software defect”, while independent online security expert Bruce Schneier said “On a scale of one to 10, this is an 11”, when news of the defect first appeared last week.

Mumsnet has vowed to keep users notified of any new information they receive.

Ms Roberts said: “The security of our users’ data is of paramount importance to us. We collect very little of it, and we never pass or sell it on without people’s explicit consents.

“Heartbleed has shown that nobody can offer a 100per cent guarantee of online security, but we’ll continue to do our best to protect our users as much as we can, and be transparent about any breaches we find.”

Separately Canada’s revenue agency said hackers exploiting the Heartbleed security flaw have gained access to some taxpayer data.

About 900 social security numbers, which the government uses to identify citizens, were taken from the Ottawa-based agency’s computer systems,

Canada Revenue Agency said in a statement, without saying who committed the breach. The agency said it’s analysing other fragments of data, some that may relate to businesses, that were also removed.

“I want to express regret to Canadians for this service interruption,” Andrew Treusch, commissioner of the agency, said in the statement. “In particular, I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act.”

The agency, which temporarily closed its online tax services last week to investigate the security flaw, said it has implemented a “patch” for the bug and tested all its systems. It re-opened its online services yesterday. The breach took place over a six-hour period, the agency said, without giving an exact date.

The Canadian government on April 10th ordered the shutdown of all its websites that run unprotected OpenSSL software as a precautionary measure until the appropriate security can be put in place.

PA/Bloomberg