Around 1.5 million members of Mumsnet have had their account data exposed and have been forced to change their passwords after the company discovered it had been hacked last Friday, the day after it first heard about Heartbleed, realised it was vulnerable and applied a patch.
But it was too late – Mumsnet co-founder Justine Roberts told the BBC that they found out they had already been breached when her own username and password were used to post a message online. The hackers then informed the site's administrators that the attack was linked to Heartbleed and user data was at risk.
This is the first known breach in the UK caused by Heartbleed – which was first revealed by researchers from Google and Finland's Codenomicon on 7 April. But Heartbleed has also been blamed for an attack earlier this week on the Canadian tax authority which led to 900 people's social insurance numbers being stolen.
The flaw enables attackers to hijack the encryption keys in OpenSSL versions 1.0.1 to 1.0.1f and steal user data. Until patches are in place, Heartbleed has threatened an estimated 500,000 websites, as well as devices like routers and switches and operating systems including Android.
The US ICS-CERT agency, part of the Department of Homeland Security, first warned about Heartbleed on 10 April stating: “ICS-CERT is aware of several instances of targeted active exploitation of this vulnerability.”
But Tim Holman, UK president of the Information Systems Security Association (ISSA), which represents information security professionals, has questioned why the UK's own newly formed national CERT has remained silent.
Speaking about the Heartbleed flaw, he told SCMagazineUK.com via email: “This is a national cyber security incident. The latest advice on the Government's newly released CERT-UK that supposedly handles incidents like this is that Windows XP support is now end-of-life. If the Government cannot take issues like this seriously, then we don't stand a chance.”
[Update: CERT-UK had actually issued two advisories, plus one later on April 17].
Holman said: “Mumsnet have taken the initiative to check if their systems are vulnerable, have patched their systems and issued an appropriate response to their users, but I haven't seen any other organisations step forward and proactively alert their users, and I'm talking some pretty big names. Even if a site is not affected I'd quite like to know about it.”
He added: “Facebook and other big-name websites were given advance warning that the Heartbleed vulnerability was about to be made public, and given plenty of time to patch their vulnerable systems. Phew. The big names are OK, that's a relief, but what about the 500,000-plus SMEs that didn't find out about the bug until it hit the news, and then had to spend time working out if they were affected or not, whilst the black hat community uses every available means to land-grab as much personal data as possible? This is an absolute disaster – someone's tossed all OpenSSL users a live grenade and thrown away the safety pin.”
Mumsnet has told its members in a website posting: “We have no way of knowing which Mumsnetters were affected by this. The worst-case scenario is that the data of every Mumsnet user account was accessed. That's why we've required every user to reset their password.
“The bug allowed access to the information submitted via the login page. So that includes your username or email plus your password. It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone's account being used for anything other than to flag up the security breach, thus far.”
Citing the phrase “passwords are like underwear - change them often”, Mumsnet has urged its members to change passwords every few months, make them as secure as possible, and use different passwords for different accounts.
Mumsnet was contacted by SC UK for further comment but was not able to respond at time of writing. This story was updated on April 17.