The Heartbleed scare is far from over. Websites are still discovering that they are vulnerable. Last weekend, it was announced that the US site healthcare.gov and Canadian site cra-arc.gc.ca/menu-eng.html had problems. Top VPN iVPN urges users to carefully check for website vulnerabilities before using them.
US Government Site Vulnerable to Heartbleed
Many people log into government websites. Just last weekend, reports came in that the US federal health insurance program’s website had the Heartbleed vulnerability. This is very dangerous to all citizens who have health insurance data on the site. It can be a huge and very sensitive privacy breach. A post on healthcare.gov says that they have no reason to believe that any data was or is at risk. It also says that they have taken steps to deal with the Heartbleed issue.
The Department of Homeland Security is advising users to change their passwords anyway. iVPN concurs since users may still be vulnerable if the bug was exploited before the site applied the fixes. There are a lot og government websites that do not use OpenSSL. This means that Heartbleed does not affect them. Those that do are upgrading their OpenSSL versions to avoid Heartbleed troubles.
Canadian Government Site Hacked using Heartbleed Bug
The Canada Revenue Agency (CRA) website cra-arc.gc.ca/menu-eng.html was also found vulnerable to Heartbleed. And before they could fix the problem, the site got hacked. The CRA website announced that the bug was exploited, leaking 900 social insurance numbers. University student Stephen Arthuro Solis-Reyes, 19, was charged with exploiting Heartbleed to steal the data that the site held on taxpayers.
Corporate VPN Compromised by Heartbleed
A large private company was also attacked last weekend. Their security company FireEye was able to catch the breach, reported by their response team Mandiant. The company remains unnamed, but Mandiant revealed that corporate VPN sessions were hijacked. The attackers used the Heartbleed bug to steal authentication keys. They took these keys from one of the company’s VPN devices. They were then able to log on like authentic users and unlocked doors along the way. Mandiant did not reveal if any data was stolen, but iVPN warns that many companies may still be unaware of possible data leaks caused by Heartbleed exploits.
