American Funds Asks Clients to Fix Passwords Over Heartbleed

Apr 16, 2014 5:51 pm ET

(Updates with Fidelity, Vanguard in last paragraph.)

April 16 (Bloomberg) -- Capital Group Cos., the third- largest manager of U.S. mutual funds, urged 800,000 customers to change account passwords and other information to protect themselves from risk caused by the Heartbleed computer bug.

The bug may have exposed some customers who accessed their accounts on the website for the firm’s American Funds mutual funds between Dec. 12 and April 14, Chuck Freadhoff, a spokesman for the Los Angeles-based firm, said in a telephone interview. The company today recommended in an e-mail to those clients that they change their user information, password, security image and questions, and delete their browsing history and “cookies.”

“Through an outside vendor there was with Heartbleed a vulnerability that gave a view to information flowing through that vendor’s servers,” Freadhoff said. “We are doing this out of an abundance of caution,” he said, adding that the company had no information indicating accounts had been accessed by hackers.

Heartbleed, which was recently discovered by technology researchers and made public on April 7, prompted security experts to urge consumers to change their Internet passwords, even as Google Inc., Facebook Inc. and large banks said they weren’t affected. The bug can expose people to hacking of their passwords and other sensitive information.

Programming Error

The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other U.S. regulators, said last week that systems operating a widely used encryption technology called OpenSSL are at risk of being hacked.

The flaw stemming from a 2-year-old programming mistake was discovered by researchers from Google and Codenomicon Ltd., a technology security firm based in Finland, and reported to OpenSSL, according to a blog post from Codenomicon. It isn’t known whether malicious hackers were aware of the bug and exploiting it, the researchers wrote.

Bloomberg News reported April 11 that the National Security Agency knew about the bug for two years and made it part of its hacking toolkit for information gathering. The NSA has since denied that it knew of the bug before an April 7 report by the private security researchers.

Capital Group manages $1.3 trillion for clients, including $1.1 trillion in its American Funds lineup, according to the company and data compiled by research firm Morningstar Inc. Only Vanguard Group Inc., based in Valley Forge, Pennsylvania, and Boston’s Fidelity Investments oversee more in mutual funds.

Capital Group’s largest fund is the $138 billion Growth Fund of America, according to data compiled by Bloomberg. The firm operates more than 50 million shareholder accounts, Freadhoff said.

Fidelity and Vanguard said their websites weren’t affected by the Heartbleed bug.

--With assistance from Ed Dufner in Dallas.