Parenting website Mumsnet is the first known UK victim of hackers exploiting the recently discovered Heartbleed bug.
The site revealed it has reason to believe hackers could access the passwords and messages of its 1.5 million users before the vulnerability was fixed.
The revelation came within hours of the Canada Revenue Agency announcing that hackers exploiting the Heartbleed bug had stolen the social insurance numbers of 900 Canadians.
The vulnerability is caused by a flaw in OpenSSL software, which is widely used on the internet to provide security and privacy by encrypting data exchanges.
Mumsnet founder Justine Roberts told the BBC it became apparent that user data was at risk when her own username and password were used to post a message online.
Hackers later informed the site’s administrators that the breach was enabled by the Heartbleed bug and that the site’s data was not safe.
“On Friday 11 April, it became apparent that what is widely known as the Heartbleed bug had been used to access data from Mumsnet users’ accounts,” the London-based website said in an email to members.
Mumsnet is resetting all member passwords because it said there was no way of knowing which accounts were affected, and it had to work on the assumption that all accounts may have been exposed.
However, site administrators said there was no evidence that any account had been used for anything other than to highlight the security vulnerability.
Independent security advisor, Graham Cluley, said he was pleased Mumsnet advised users to change other passwords if they used their Mumsnet password elsewhere on the net.
“You should never use the same password in more than one place – otherwise you could have an account breach on a site, which might not be critically important (Mumsnet, for instance) leading to much more serious hacks of your personal information elsewhere,” he wrote in a blog post.
While the Canadian tax agency is informing people of its breach by registered letter, Mumsnet has reportedly been criticised for sending users an email containing a link to its password reset page.
Standard online security advice dictates that users should be wary of clicking links in emails. An email urging users to visit the Mumsnet site to reset passwords would have been better, critics said.
Keith Bird, UK managing director of security firm Check Point, said it is important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed.
“There is a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords,” he said.
Although it was unwittingly introduced to the OpenSSL code in December 2011, the Heartbleed bug was made public only on 8 April 2014 by researchers at Google and Finnish security firm Codenomicon.
The researchers discovered that a coding flaw could enable hackers to access 64KB of unencrypted data repeatedly from the memory of systems using vulnerable versions of OpenSSL.
Large hardware, software and internet service providers have moved quickly since the bug was made public. But hundreds of thousands of IT systems will remain vulnerable to data theft until the affected versions of OpenSSL can be updated.
Millions of Android devices remain vulnerable to the bug a week after the flaw was made public and Google announced that devices running version 4.1.1 of its mobile operating system (OS) were at risk.
Google has created a fix, but it has yet to be pushed out to many of the devices that cannot run higher versions of the OS, potentially putting users at risk of data theft, reports the BBC.
Security firms have warned that hundreds of apps available across multiple platforms still need to be fixed and that hardware including smartphones, routers and cable boxes are all potentially affected.