Some American Funds Clients Vulnerable to Heartbleed Bug

Capital Group warns clients who used site between Dec. 12 and April 14 to change passwords

Heartbleed could affect clients who used American Funds' website between Dec. 12 and April 14, Capital Group says. Heartbleed could affect clients who used American Funds' website between Dec. 12 and April 14, Capital Group says.

Capital Group Cos., the third-largest manager of U.S. mutual funds, urged 800,000 customers to change account passwords and other information to protect themselves from risk caused by the Heartbleed computer bug.

The bug may have exposed some customers who accessed their accounts on the website for the firm’s American Funds mutual funds between Dec. 12 and April 14, Chuck Freadhoff, a spokesman for the Los Angeles-based firm, said in a telephone interview. The company today recommended in an e-mail to those clients that they change their user information, password, security image and questions, and delete their browsing history and “cookies.”

“Through an outside vendor there was with Heartbleed a vulnerability that gave a view to information flowing through that vendor’s servers,” Freadhoff said. “We are doing this out of an abundance of caution,” he said, adding that the company had no information indicating accounts had been accessed by hackers.

Heartbleed, which was recently discovered by technology researchers and made public on April 7, prompted security experts to urge consumers to change their Internet passwords, even as Google Inc., Facebook Inc. and large banks said they weren’t affected. The bug can expose people to hacking of their passwords and other sensitive information.

Programming Error

The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other U.S. regulators, said last week that systems operating a widely used encryption technology called OpenSSL are at risk of being hacked.

The flaw stemming from a 2-year-old programming mistake was discovered by researchers from Google and Codenomicon Ltd., a technology security firm based in Finland, and reported to OpenSSL, according to a blog post from Codenomicon. It isn’t known whether malicious hackers were aware of the bug and exploiting it, the researchers wrote.

Bloomberg News reported April 11 that the National Security Agency knew about the bug for two years and made it part of its hacking toolkit for information gathering. The NSA has since denied that it knew of the bug before an April 7 report by the private security researchers.

Capital Group manages $1.3 trillion for clients, including $1.1 trillion in its American Funds lineup, according to the company and data compiled by research firm Morningstar Inc. Only Vanguard Group Inc., based in Valley Forge, Pennsylvania, and Boston’s Fidelity Investments oversee more in mutual funds.

Capital Group’s largest fund is the $138 billion Growth Fund of America, according to data compiled by Bloomberg. The firm operates more than 50 million shareholder accounts, Freadhoff said.

--With assistance from Ed Dufner in Dallas.

Copyright 2014 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Discuss this story
This is where the comments go.