Oops, I submitted a duplicate of this. (Upvoted yours)<p>Vulnerability was disclosed on Monday, April 7th. CRA website was shutdown on Wednesday, April 9th. Didn't take long for the baddies to take PoCs and point them at vulnerable sites.<p>Any other high-value sites that took more than a day to patch should take this as a warning.
I wonder if the data was stolen after or before the vulnerability was disclosed.<p>On the other side of it, I think it's really great that they've been able to determine exactly what was stolen from this so that they can attempt to repair any damages.
Considering the significance of the vulnerability, the only thing I can say is the government is extremely lucky that the number is only 900. For Canadians, SIN numbers are about as critical as it gets.
tl;dr: "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed." The agency says those affected will be contacted via registered letters, and that any attempts to contact a taxpayer via email or telephone are fraudulent.
Is this the only reported case of malicious use of Heartbleed so far? (Besides US government agencies allegedly)<p>If so, is it safe to say that this crisis was dealt with rather well? Or is it just too early to know how many sites were actually attacked?
Presumably the numbers were stolen along with associated identity information. The numbers can be easily guessed; they are created with a simple algorithm.
How can you steal a number?<p>Here's a number: 147334572. Have I stolen it?<p>This is yet another alarming signal that the whole idea that your SSN/SIN or credit card number is somehow secret and can be used for authentication is flawed. We need to work on fixing this. At the very least, we should stop talking about "stolen numbers". And even if the breach in question resulted in attackers gaining access to names + numbers (unclear from the article), it should not cause any serious consequences.