(Adds comment from security expert, detail on Akamai connection)
By Jim Finkle and Ross Kerber
BOSTON, April 16 (Reuters) - American Funds, the No. 3 U.S. mutual fund family, advised some customers to change user names and passwords on Wednesday as the number of companies and people affected by the notorious “Heartbleed” bug grows.
The company sent emails to some 825,000 clients, saying they had been exposed to “a very narrow window of risk” related to “Heartbleed,” which has been described as the biggest computer security threat since the mass adoption of the Internet.
American Funds also advised customers who logged into Americanfunds.com from Dec. 12, 2013 to April 14 to create new security questions and delete their browsing history.
Heartbleed refers to a security bug in software known as OpenSSL used in about two-thirds of all websites and many other technology products. Hackers have created malicious software that exploits the bug, allowing them to attack vulnerable websites and steal data.
Dan Guido, chief executive of cybersecurity startup Trail of Bits, said more warnings are likely because no company will want to be remiss in trying to protect customers.
“I expect to see a lot more of this,” Guido said.
On Tuesday, Canada’s Tax authority became the first major organization to report an attack related to Heartbleed, and more are expected. Canadian police on Wednesday charged a 19-year-old man in connection with exploiting the bug to steal taxpayer data.
American funds spokesman Chuck Freadhoff said his firm does not believe it has been breached and issued the notice “out of an abundance of caution” after learning that a vendor had been affected by Heartbleed. He did not identify that vendor.
“It would be almost impossible to access a shareholder’s account and transact, given the multiple layers of security within the American Funds system,” he said.
OpenSSL software helps encrypt traffic with digital certificates and “keys” that keep information secure while in transit over the Internet. Heartbleed went undetected for several years, so experts believe hackers have likely stolen some certificates and keys, leaving data vulnerable.
American Funds decision to alert customers may be related to a move by Akamai Technologies Inc to replace the digital security keys of its customers.
The Americanfunds.com site is routed through Akamai, one of the biggest providers of services for distributing and securing websites, said John Bumgarner, chief technology officer with the U.S. Cyber Consequences Unit. He reviewed the digital SSL certificate embedded on the fund company’s website.
Akamai had said on Monday that it was replacing SSL certificates of its customers out of concern that those keys may have been compromised before the bug had been discovered.
“Anything could have happened,” Akamai Chief Security Officer Andy Ellis said when asked on Monday about the impact of exposure to Heartbleed on SSL customers. “There is a lot going on here. This is a ‘can of worms’ question.”
Both Akamai and American Funds declined to say whether SSL keys for American Funds have been replaced. (Reporting by Jim Finkle; Additional reporting by Toni Clarke, Ross Kerber and Tim McLaughlin Editing by Richard Valdmanis and Richard Chang)