The Heartbleed bug has already been exploited by hackers in China, according to reports on Wednesday. It comes as Mashable published a report that shows the passwords on websites that one needs to change right away.
The existence of the bug–or “virus,” which some reports erroneously claimed–was publicly revealed just over a week ago, triggering major websites–including the U.S. government and tax filing companies–to upgrade their OpenSSL security software.
But the Sydney Morning Herald report that attacks from China have been launched. J. Alex Halderman, who is an assistant professor of electrical engineering and computer science with the University of Michigan, said that the university was attacked by a computer located in China, by exploiting the Heartbleed error. The university computer that was hacked was described as a “honeypot”–intentionally made vulnerable to attract hackers so they can be studied.
At least 41 attempts to exploit the Heartbleed error have been made on that single computer at the University of Michigan, Halderman said.
“We have observed 41 unique hosts scanning for and attempting to exploit the Heartbeat Vulnerability. These attacks were discovered on three out-of-the-way honeypots that we are maintaining. Of these 41 hosts, 59% were located in China and accounted for 45% of the attacks. The first probe we detected was at 1539 GMT on April 8, 2014. Given that our honeypots are hosted on out-of-the-way hosts and not on a major website, it is most likely that these hosts were performing comprehensive scans or scans of a large sample of the Internet. The most data that was retrieved by a single scanner was 300 KB,” researchers wrote.
According to the experts, “The Heartbleed Bug is a vulnerability in the OpenSSL cryptographic library that allows attackers to invisibly read sensitive data from a web server. This potentially includes cryptographic keys, usernames, and passwords.”
AP Update: Study shows increase in online information thefts
NEW YORK (AP) — The number of Americans who say they’ve had important personal information stolen online is on the rise, according to a Pew Research Center report released Monday.
According to the survey conducted in January, 18 percent of online adults have had personal information stolen such as their social security number, credit card or bank account information. That’s up from 11 percent in a July 2013 Pew survey.
The number of adults who had an online account compromised or taken over without their permission — such as email or social media — remained flat at 21 percent.
The survey was done after news broke of Target Corp.’s massive pre-Christmas data breach, but well before last week’s discovery of the “Heartbleed” bug, which has caused widespread worry across the Internet.
The Target breach resulted in the theft of 40 million debit and credit card numbers, along with the personal information of up to 70 million people. The cost of replacing potentially stolen debit and credit cards has already reached into the tens of millions of dollars.
Other companies including Neiman Marcus and Michael’s subsequently reported their own smaller data breaches.
It remains unclear whether hackers have been able to exploit Heartbleed, which went undetected for more than two years, to steal personal information. The bug is caused by a flaw in OpenSSL software, which is used on the Internet to provide security for both websites and networking devices such as routers, switchers and firewalls.
The Pew survey, conducted between Jan. 23 and 26, polled 1,002 adults living in the continental U.S. It has a margin of error of plus or minus 3.5 percentage points.