Heartbleed Breach Reported in UK1.5 Million Accounts at Website for Parents Potentially Exposed
Mumsnet, a UK website for parents, is forcing all of its users to change their passwords after it discovered that a cyber-attacker had taken advantage of the Heartbleed bug to access data from users' accounts.
"On Thursday April 10 we ... became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable," the company says in a notice. "As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole. However, it seems that users' data was accessed prior to our applying this fix."
The site says it has no way of knowing which Mumsnet users were affected by the exploit. "The worst case scenario is that the data of every Mumsnet user account was accessed. That's why we've required every user to reset their password."
News reports claim that the website has 1.5 million registered members.
The Heartbleed vulnerability allowed an intruder to access information submitted via the login page, which includes username or e-mail and password, according to the notice. "It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone's account being used for anything other than to flag up the security breach, thus far," Mumsnet says.
The website did not immediately respond to a request for additional information.
In another breach related to Heartbleed, the Canada Revenue Agency reported that 900 taxpayers had their Social Insurance numbers compromised (see: Heartbleed Causes Breach in Canada).
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.