A 19-year-old Canadian student has become the first person known to be arrested for exploiting the heartbleed bug which left millions of websites vulnerable when it was revealed last week.

Stephen Arthuro Solis-Reyes, from London, Ontario, was arrested "without incident" at his home on Tuesday and faces charges relating to stealing the information of 900 Canadian taxpayers from the Canadian Revenue Agency (CRA) website last week.

Solis-Reyes will appear in court on 17 July where he will face one count of "unauthorised use of computer" and one count of "mischief in relation to data".

Solis-Reyes is believed to have exploited the heartbleed vulnerability to steal some or all details relating to 900 Canadian taxpayers through the CRA's website last week, after the vulnerability was made public but before the system administrators had a chance to patch the agency's website.

"The RCMP [Royal Canadian Mounted Police] treated this breach of security as a high priority case and mobilised the necessary resources to resolve the matter as quickly as possible" said Assistant Commissioner Gilles Michaud.

"Investigators from National Division, along with our counterparts in 'O' Division have been working tirelessly over the last four days analysing data, following leads, conducting interviews, obtaining and executing legal authorisations and liaising with our partners."


Speaking to CBC News in Canada, the lawyer for Solis-Reyes said his client was "devastated" and felt "sucker-punched" by his arrest.

"He is an A student and a very, very bright young man," Faisal Joseph said. He added that Solis-Reyes had voluntarily handed himself in to police on Tuesday after they threatened to arrest him in the middle of one of his classes.

This followed a 1am police raid on his house on Sunday night. The RCMP confirmed it had conducted a search of the suspect's residence and computer equipment was seized.

Solis-Reyes attends Western University where his father Roberto Solis-Oba teaches computer science.

Security breach

Heartbleed Bug: Website Checker

The Canadian Revenue Agency (CRA) confirmed on Monday that the social insurance numbers for 900 Canadian taxpayers had been stolen as part of a cyber attack which used the heartbleed bug.

The CRA became aware of the security breach while it was trying to update its systems to patch the OpenSSL vulnerability. The agency's website was shut down as a precaution last week as the group worked to fix the vulnerability, but it informed the Canadian police on Friday that it had confirmed there had been a breach.

The Heartbleed Bug was made public on 7 April and revealed that a flaw in the OpenSSL code which was implemented over two years ago allowed for sensitive information like passwords, credit card information and even pirate encryption keys to be stolen from millions of websites.

Mumsnet response

So far the only other confirmed use of the heartbleed exploit has been Mumsnet which on Wednesday published a detailed explanation of what happened.

Founder Justine Roberts had her username and password stolen and the attacker posted bogus messages on the site under her name. The attack wrote:

"I hope the actions of hijacking Justine's account help draw attention to how big a deal this is. I suspect a lot of people would not have taken it seriously otherwise. Be thankful that the person who got access to the server information was kind enough to let you all know [and at least try and be funny with it] instead of simply sitting on the information."