A 19-year-old is due in court today charged with stealing information on hundreds of people by exploiting the Heartbleed bug.
Stephen Arthuro Solis-Reyes, 19, is the first person to be charged in connection with the major internet security flaw.
Federal police in Canada say they arrested Solis-Reyes at his home in London, Ontario.
He has been charged with mischief and the unauthorised use of a computer to steal data from the Canada Revenue Agency’s (CRA) website.
Police said Solis-Reyes “extracted private information held by the CRA” by exploiting the security vulnerability.
The CRA said 900 social insurance numbers – similar to National Insurance numbers – were stolen last week.
Its website was closed for several days as a result.
Police said it took four days to track down the alleged culprit, adding that his computer equipment has been seized and the investigation is ongoing.
The so-called Heartbleed flaw in online encryption software OpenSSL allows hackers to eavesdrop on online communications, steal data, impersonate websites and unlock encrypted data.
OpenSSL is commonly used to protect passwords, credit card numbers and other data sent via the internet.
The flaw is understood to have existed for two years, but was only discovered in the past week.
More than half of websites use the software, but not all versions have the same vulnerability.