Canada’s tax authority and a popular British parenting website both lost user data after attackers exploited the Heartbleed SSL vulnerability, they said Monday.
The admissions are thought to be the first from websites that confirm data loss as a result of Heartbleed, which was first publicized last Tuesday. The flaw existed in Open SSL, a cryptographic library used by thousands of websites to enable encryption, and was quickly labeled one of the most serious security vulnerabilities in years.
For those who don't feel the urgency to install the latest security fixes for their computers, take note: Just a day after Heartbleed was revealed, attacks from a computer in China were launched.
The software bug, which affects a widely used form of encryption called OpenSSL, was announced to the world April 7 at 1:27 p.m. New York time, according to the Sydney Morning Herald. That sent companies scrambling to fix their computer systems -- and for good reason.
The catastrophic Heartbleed security bug that has already bitten Yahoo Mail, the Canada Revenue Agency, and other public websites also poses a formidable threat to end-user applications and devices, including millions of Android handsets, security researchers warned.
On Monday, after seven months of discussion and planning, the first-phase of a two-part audit of TrueCrypt was released.
The results? iSEC, the company contracted to review the bootloader and Windows kernel driver for any backdoor or related security issue, concluded (PDF) that TrueCrypt has: “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”
The National Security Agency denied that it previously knew of the Heartbleed bug, calling reports that it or any part of the U.S. government were aware before April “wrong.”
Bloomberg reported earlier Friday that the NSA knew of the bug in the widely used encryption tool called OpenSSL for at least two years and exploited it to gather intelligence. Security researchers have called Heartbleed one of the biggest flaws in the Internet’s history. Later in the day, the NSA released a statement saying the agency wasn’t aware of Heartbleed until it was made public.