Teenage Heartbleed Hacker Arrested by Police

Brandon Dimmel's picture

The first major arrest has been made in association with the recently discovered Heartbleed bug. The suspect is a 19-year-old Canadian hacker who exposed roughly 900 social insurance numbers of the Canada Revenue Agency.

The Heartbleed bug first made headlines last week. It's a shocking vulnerability in the popular OpenSSL cryptographic software library that, if exploited, can be used to steal protected information from secure websites and similar web services.

According to the Washington Post, the bug may affect as much as two-thirds of the entire Internet. (Source: washingtonpost.com)

Heartbleed Bug Suspect a Talented Young Programmer

On Wednesday police in London, Ontario, Canada, arrested Stephen Solis-Reyes in connection with a cyber-attack that targeted the Canada Revenue Agency (CRA), the country's equivalent of the United States Internal Revenue Service (IRS).

Toronto's Globe and Mail reports that Solis-Reyes is a sophomore at The University of Western Ontario, a major research institution based in London. He's also an accomplished programmer, having placed first in a programming competition held by the London District Catholic School Board.

Solis-Reyes is also the creator of a BlackBerry phone application designed to solve Sudoku puzzles. Solis-Reyes released the app while he was still in high school. (Source: npr.org)

Teen Hacks Canada Revenue Agency Website

According to reports, Solis-Reyes used the Heartbleed bug to hack the Canada Revenue Agency website and expose the social insurance numbers of approximately 900 Canadian taxpayers. It's suggested that the CRA website was vulnerable for a period of about six hours after news of the bug went public, though the bug itself has reportedly been in the wild for over 2 years.

CRA representative Andrew Treusch says the agency has since implemented a patch for the bug and has "vigorously tested all systems to ensure they [are] safe and secure."

A representative for the Royal Canadian Mounted Police (RCMP), says the investigation into Canada Revenue Agency's system was ongoing for four days prior to making the arrest. Solis-Reyes has now been charged with "unauthorized use of a computer" and "mischief in relation to data".

The RCMP says Solis-Reyes is scheduled to appear in court on July 17. (Source: bbc.com)

More Heartbleed Bug Arrests Highly Likely

Security experts believe similar cases and arrests will come forth in the coming year in relation to the Heartbleed bug.

Experts warn that all Internet users should change all of their passwords immediately in order to protect their most sensitive information. Even so, that warning comes with a number of caveats, as a password change is only good if the website being accessed has already been patched.

What's Your Opinion?

Are you worried that major organizations and institutions such as the IRS will be hacked using the Heartbleed bug? Have you changed all of your passwords, as suggested by security experts? Or do you think it's unlikely that the bug will be exploited on a wide scale? Finally, how do you think authorities should handle a teenage hacker like Solis-Reyes?

Rate this article: 
Average: 5 (1 vote)


DavidFB's picture

Some of your content in this article is out of date. For example "the bug may affect as much as two-thirds of the entire Internet." About 2/3's of web servers use OpenSSL and were thus susceptible to (did affect) the bug. But that was a week ago Monday.

Most organizations were patched within a couple of days. Smaller services were a little slower. Latest I've seen is that under 1% remain unpatched. But that's still plenty.

If you want to check, you can do so here:
They list some recent fails.

The article is interesting news but CRA is unique - they knew they'd been hacked due to far greater security. Most places wouldn't know.

LastPass password manager is a great tool for ensuring you have strong and unique passwords for web sites. You only have to remember one password. It also had a tool to identify the key sites you needed to update your passwords on quickly. Like a week ago.

It also points to another reason why using social media logins to access other sites is a bad idea. I find it disappointing InfoPackets offers this given how bad a practice it is. Not to mention you handing your browsing activity to the social site for their profit.

As far as the hacker goes, it depends a little on his motivation and what he did with the hacked info. Was he seeking profit or just seeing if he could do it? Stupidity isn't necessarily criminal.

ClemsKreb's picture

It might be unpopular but I'm sick and tired of hackers as a whole. They sell themselves off as the Robin Hoods of the tech world, but I'm not buying that anymore. Like this punk who the Canadian police just caught, I'd throw him away in solitary confinement with no contact with the outside world beyond pencil and paper. These thugs who hold all of us up with their shenanigans probably are some of the brightest minds out there and instead of trying to solve the problems of the world they would prefer to be terrorists, so they should be treated as such.

IdeasVacuum's picture

I am certainly not a fan of Hackers in any way and I believe they must be given severe punishment to deter others.

However, the young man in this case has thus far been arrested as a suspect, he has not been tried and found guilty of this crime - so why has the media published so much about him? What if he is innocent? The stress of all this attention, world-wide, is enough to make anyone do something unwise. No matter how strong our feelings are, he is innocent until proven guilty.