Canada’s Revenue Agency (CRA) tax collection arm is blaming hackers exploiting the Heartbleed security vulnerability for stealing confidential data on 900 people, in perhaps the first known report of a large organization victimized by the OpenSSL flaw.

Andrew Treusch, CRA Commissioner, said the CRA still is assessing the damage, which at this point is said to focus on identification used to gain access to government benefits.

“Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” Treusch said in a statement. “Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability.”

Canadian police are investigating the attack, Treusch said, but at this point it’s unclear if other data has been pilfered.

“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” he said. “Despite our robust controls,” the CRA is “one of many organizations that was vulnerable to Heartbleed.”

The CRA said that those affected by the break in security will be informed by registered letter and will be provided free credit protection services.

Reuters reported Mumsnet, a high traffic, U.K.-based parenting website Mumsnet, also had experienced a Heartbleed-related breach. Officials didn’t disclose if any information had been stolen but in response to the threat required users to reset their passwords.

The potential for similar attacks to occur is astronomically high. U.K.-based researcher Netcraft reported last week that of the estimated half-million websites deploying OpenSSL security and vulnerable to the Heartbleed bug, only 30,000, or 6 percent, have been reissued updated certificates and an even smaller number have been revoked. In other words, a tidal wave of SSL certificate revocations is soon to hit.

Netcraft cautioned the even websites with reissued certificates are still exposed to impersonation attacks without revoking their certificates—even after upgrading to the latest version of OpenSSL and replacing their SSL certificates.

Revoking an SSL certificate tells visitors the site is not to be trusted and is meant to protect them from fraud, theft and other criminal activities.

“If a remote attacker successfully retrieved private keys from a server while it was still vulnerable to the Heartbleed bug, then he would be able to impersonate the server by creating his own valid SSL certificate,” Netcraft said. “The crucial issue is that an attacker can still do this after the affected website has upgraded to the latest version of OpenSSL, and it does not matter whether the real website has since deployed a new SSL certificate with different keys: Unless the previous certificate is revoked, the site will still be vulnerable to man-in-the-middle attacks.”