SAN FRANCISCO » Within 24 hours of the Heartbleed bug’s disclosure last week, an attacker used it to break into the network of a major corporation, security experts said Friday.
Using Heartbleed, the name for a flaw in security software that is used in a wide range of Web servers and Internet-connected devices, the attacker was able to break into an employee’s encrypted virtual private network, or VPN, session.
From there, the hacker or hackers used the Heartbleed bug about 1,000 times, extracting information like passwords to gain broader access to the victim’s network, researchers at Mandiant, an online security firm, said.
The targeted company noticed the attack only in its later stages. When the company analyzed what had happened, it realized that Heartbleed was used as the entry point, said Christopher Glyer, an investigator at Mandiant.
The attack was one of the first confirmed cases of a hacker’s using Heartbleed. Up till now, researchers say, they have seen widespread scanning of the Internet for vulnerable servers, and in some cases people have taken material from those servers using Heartbleed. But it has been nearly impossible, they say, to discern between the activities of security researchers and hackers, and there has been no evidence of actual harm.
Investigators were still assessing whether damage had been done in this case, and because of nondisclosure agreements, the firm has not named the targeted company; Mandiant has said only that it is a "major corporation" with particularly sophisticated attack detection systems.
"The main takeaway is that within 24 hours of Heartbleed’s publication, we’re seeing this taken advantage of," Glyer said. "And it’s entirely likely lots of other companies are being affected and just don’t know it yet."
On Tuesday, a 19-year-old man was arrested in Canada on charges that he had used Heartbleed to steal taxpayer data from the Canada Revenue Agency.
At the University of Michigan, computer scientists said the Heartbleed bug had been used 140 times to gain access to stashes of data that they had put on the Internet as a test. They could not say whether this was the work of attackers or other security researchers, but they did say that more than half the infiltrations originated in China.
The University of Michigan researchers said this week that more than 1 million Web servers were still vulnerable. They are keeping an updated tally on the website of their project, called ZMap.
It was still unclear whether Heartbleed was exploited before its discovery by a Google researcher this month.
For the past week, researchers at Lawrence Berkeley National Laboratory and the National Energy Research Scientific Computing Center have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for exploitations of Heartbleed before its existence became public on April 7.
So far, they have found none.