Share story

SAN FRANCISCO — Within 24 hours of the Heartbleed bug’s disclosure last week, an attacker used it to break into the network of what was called a “ major corporation,” security experts said Friday.

Using Heartbleed, the name for a flaw in security software that is used in a wide range of Web servers and Internet-connected devices, the attacker was able to break into an employee’s encrypted virtual private network, or VPN, session.

From there, the hacker or hackers used the Heartbleed bug about 1,000 times, extracting such information as passwords to gain broader access to the victim’s network, said researchers at
online-security firm Mandiant.

The targeted company noticed the attack only in its later stages. When the company analyzed what had happened, it realized Heartbleed was used as the entry point, said Christopher Glyer, an investigator at Mandiant. The attack was one of the first confirmed cases of a hacker using Heartbleed. Up until now, researchers say, they have seen widespread scanning of the Internet for vulnerable servers, and in some cases people have taken material from those servers using Heartbleed.

This week, save 90% on digital access.

But it has been nearly impossible, they say, to discern between the activities of security researchers and hackers, and there has been no evidence of actual harm.

Investigators were still assessing whether damage had been done in this case, and because of nondisclosure agreements, the firm has not named the targeted company; Mandiant has said only that it is a “major corporation” with particularly sophisticated attack detection systems. “The main take-away is that within 24 hours of Heartbleed’s publication, we’re seeing this taken advantage of,” Glyer said. “And it’s entirely likely lots of other companies are being affected and just don’t know it yet.”

On Tuesday, a 19-year-old man was arrested in Canada on charges he had used Heartbleed to steal taxpayer data from the Canada Revenue Agency. At the University of Michigan, computer scientists said the Heartbleed bug had been used 140 times to gain access to stashes of data they had put on the Internet as a test.

The researchers could not say whether this was the work of attackers or other security researchers, but they did say more than half the infiltrations originated in China.

The University of Michigan researchers said this week that more than 1 million Web servers were still vulnerable. They are keeping an updated tally on the website of their project, called ZMap.

It was still unclear whether Heartbleed was exploited before its discovery by a Google researcher this month.

For the past week, researchers at Lawrence Berkeley National Laboratory and the National Energy Research Scientific Computing Center have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for exploitations of Heartbleed before its existence became public April 7.

So far, they have found none.

Custom-curated news highlights, delivered weekday mornings.