The Canadian Revenue Agency (CRA) confirmed on Monday that the social insurance numbers for 900 Canadian taxpayers had been stolen as part of a cyber attack which used the heartbleed flaw which was revealed last week.
In what is the first confirmed successful use of the heartbleed bug, the CRA revealed that the details of the 900 taxpayers may not be the only information stolen from its systems:
"Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analysing other fragments of data, some that may relate to businesses, that were also removed."
The CRA became aware of the security breach while it was trying to update its systems to the patch the vulnerability. The agency's website was shut down as a precaution last week as the group worked to fix the vulnerability, but it informed the Canadian police on Friday that it had confirmed there had been a breach.
The website reopened for use over the weekend.
The Heartbleed Bug was made public last Monday and revealed that a flaw in the OpenSSL code which was implemented over two years ago allowed for sensitive information like passwords, credit card information and even pirate encryption keys to be stolen from millions of websites.
The CRA said those affected would be contacted only by registered letter and should ignore any communication regarding this incident by email or telephone as these would be fraudulent.
Keith Bird, UK managing director of security company Check Point said: "Hackers were obviously alert to the vulnerability, and quick to exploit it. The Agency has done the right thing by stating it will contact those affected via registered letters only, and that attempts to contact taxpayers via email or telephone will be fraudulent."
Bird said this was likely just the beginning of a flood of similar announcements in the coming days and weeks:
"I believe we'll see more announcements like this over the coming days. So it's really important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed, no matter how plausible the emails appear to be. There's a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords."