American Funds, one of the largest US mutual fund companies with 20 million investors sent emails to 825,000 of these clients a letter to change their computer usernames and passwords due to the threat of the “Heartbleed” internet virus.

Heartbleed bug Virus

Financial services dependent on technology

Financial services firms go to great lengths to secure their technology but nonetheless even the most sophisticated technical setups are vulnerable.  While the firm had “no information to suggest that investor passwords or account information had been compromised,” the mutual fund provided the advice “out of an abundance of caution.”

“The risk, though quite remote, involves information that passes through servers maintained by one of our vendors,” the letter said. “The vendor responded promptly to this threat by installing a security patch before news of the bug was made public, and they continue to evaluate and address potential risks.”

The warning applies to shareholders who logged in from December 12, 2013 to April 14.

Heartbleed virus attacks OpenSSL web platforms

The Heartbleed virus exploits a glitch in a technical platform called OpenSSL that is used in nearly 60% of the world’s web sites.  “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet,” Forbes columnist Joseph Steinberg wrote in a blog post.

OpenSSL is a widely-used security software application used to secure online banking, credit card payments, and other sensitive activities and could have been used in as many as 500,000 websites around the world. A patch to the vulnerability has since been found and applied to most servers, yet those servers that have been effected may have no way of knowing as the virus leaves no trace of its presence. Warnings such as those from American funds are precautionary in nature.

NSA reported to be aware of Heartbleed virus, scolded for not taking action to protect US economy and its citizens

Complicating matters, five days ago a Bloomberg report said that the US National Security Agency was aware of the Heartbleed virus for two years but did nothing to prevent its spread because it provided intelligence on the NSA’s targets.  The NSA has since vehemently denied this charge, but as Bloomberg points out this denial fails to jive with Congressional reports. In December a review group, handpicked by US President Barack Obama, prophetically addressed the need for the NSA to reveal security breaches rather than to exploit them: “In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection,” the group told the president. “Eliminating the vulnerabilities — ‘patching’ them — strengthens the security of US Government, critical infrastructure, and other computer systems.”