(Adds comment from security expert, detail on Akamai
By Jim Finkle and Ross Kerber
BOSTON, April 16 American Funds, the No. 3 U.S.
mutual fund family, advised some customers to change user names
and passwords on Wednesday as the number of companies and people
affected by the notorious "Heartbleed" bug grows.
The company sent emails to some 825,000 clients, saying they
had been exposed to "a very narrow window of risk" related to
"Heartbleed," which has been described as the biggest computer
security threat since the mass adoption of the Internet.
American Funds also advised customers who logged into
Americanfunds.com from Dec. 12, 2013 to April 14 to create new
security questions and delete their browsing history.
Heartbleed refers to a security bug in software known as
OpenSSL used in about two-thirds of all websites and many other
technology products. Hackers have created malicious software
that exploits the bug, allowing them to attack vulnerable
websites and steal data.
Dan Guido, chief executive of cybersecurity startup Trail of
Bits, said more warnings are likely because no company will want
to be remiss in trying to protect customers.
"I expect to see a lot more of this," Guido said.
On Tuesday, Canada's Tax authority became the first major
organization to report an attack related to Heartbleed, and more
are expected. Canadian police on Wednesday
charged a 19-year-old man in connection with exploiting the bug
to steal taxpayer data.
American funds spokesman Chuck Freadhoff said his firm does
not believe it has been breached and issued the notice "out of
an abundance of caution" after learning that a vendor had been
affected by Heartbleed. He did not identify that vendor.
"It would be almost impossible to access a shareholder's
account and transact, given the multiple layers of security
within the American Funds system," he said.
OpenSSL software helps encrypt traffic with digital
certificates and "keys" that keep information secure while in
transit over the Internet. Heartbleed went undetected for
several years, so experts believe hackers have likely stolen
some certificates and keys, leaving data vulnerable.
American Funds decision to alert customers may be related to
a move by Akamai Technologies Inc to replace the
digital security keys of its customers.
The Americanfunds.com site is routed through Akamai, one of
the biggest providers of services for distributing and securing
websites, said John Bumgarner, chief technology officer with the
U.S. Cyber Consequences Unit. He reviewed the digital SSL
certificate embedded on the fund company's website.
Akamai had said on Monday that it was replacing SSL
certificates of its customers out of concern that those keys may
have been compromised before the bug had been discovered.
"Anything could have happened," Akamai Chief Security
Officer Andy Ellis said when asked on Monday about the impact of
exposure to Heartbleed on SSL customers. "There is a lot going
on here. This is a 'can of worms' question."
Both Akamai and American Funds declined to say whether SSL
keys for American Funds have been replaced.
(Reporting by Jim Finkle; Additional reporting by Toni Clarke,
Ross Kerber and Tim McLaughlin Editing by Richard Valdmanis and