Following Seggelmann's request to put the result of his work into Open SSL, his change was reviewed by Stephen N. Henson failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into Open SSL's source code repository on December 31, 2011.
The defect spread with the release of Open SSL version 1.0.1 on March 14, 2012.
The Sydney Morning Herald published a timeline of the discovery on April 15, 2014, showing that some organizations had been able to patch the bug before its public disclosure. The Canada Revenue Agency reported a theft of Social Insurance Numbers belonging to 900 taxpayers, and said that they were accessed through an exploit of the bug during a 6-hour period on April 8, 2014.
The agency said it would provide credit protection services at no cost to anyone affected.
Attackers in this way could receive sensitive data, compromising the confidentiality of the victim's communications.
Although an attacker has some control over the disclosed memory block's size, it has no control over its location, and therefore cannot choose what content is revealed.
but it is unclear whether potential attackers were aware of it earlier and to what extent it was exploited.
Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement.
The breach happened a week after Heartbleed was first made public.
On April 16, the RCMP announced they had charged a computer science student in relation to the theft with unauthorized use of a computer and mischief in relation to data.
Studies were also conducted by deliberately setting up vulnerable machines.
Heartbleed therefore constitutes a critical threat to confidentiality.
However, an attacker impersonating a victim may also alter data.