Underscoring the severity of the Heartbleed bug affecting huge swaths of the Internet, hackers exploited the vulnerability to steal taxpayer data for at least 900 Canadian citizens and an unknown number of businesses, officials in that country warned Monday morning.

Canada Revenue Agency (CRA) officials said they removed public access to online tax services last Tuesday, a day after the catastrophic defect in the widely used OpenSSL cryptography library surfaced . But by then it was too late. Hackers casing online CRA services were nonetheless able to exploit the OpenSSL flaw, which makes it possible to pluck private encryption keys, passwords, and other sundry sensitive data out of the private computer memory of servers running vulnerable versions of the open-source library.

"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," Canadian officials disclosed in a blog post published Monday morning. "Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."

Monday's post is among the first to disclose the malicious exploitation of the two-year-old Heartbleed bug. By Tuesday, researchers showed that Heartbleed was exposing usernames and passwords of Yahoo Mail users, and some Ars readers also reported that their accounts were compromised before Ars servers were updated. OpenSSL is the Internet's most widely used implementation of Web encryption, so it wouldn't be surprising if vast numbers of sites were similarly attacked. Update: Later on Monday, UK-based parenting website Mumsnet said hackers exploited a vulnerable version of OpenSSL on its servers to obtain user names and passwords.

Over the weekend, at least four separate researchers independently demonstrated that private encryption keys are among the things Heartbleed can expose . While the demonstrations merely echoed initial warnings from the researchers who discovered Heartbleed, the weekend's confirmations drove home just how much damage can be done to vulnerable systems. Such keys allow hackers to launch cryptographically authenticated imposter sites that are virtually indistinguishable from the authentic ones, even after the legitimate sites have updated OpenSSL to a version that's not vulnerable.

The Heartbleed vulnerability is the result of a failure to carry out a routine bounds check in OpenSSL code that handles the Transport Layer (TLS) heartbeat extension. Heartbeat allows a connected Web client or application to send messages to keep a connection active during a transfer of data. According to Netcraft, two-thirds of websites rely on OpenSSL to implement HTTPS encryption, although not all of them have Heartbeat enabled.

The CRA said it's putting in place measures to protect the people affected by the Heartbleed-enabled breach. It said it will notify victims by registered mail and will not be calling or e-mailing any of the victims because those forms of communication are frequently abused by people carrying out phishing attacks and similar scams. The Royal Canadian Mounted Police is investigating the breach.