The agency said early Monday it became aware of the breach while repairing the bug, and that the theft happened over a six-hour period.
"Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the CRA said. "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."
The agency says those affected will be contacted via registered letters, and that any attempts to contact a taxpayer via email or telephone are fraudulent.
Anyone affected will be provided with credit protection services at no cost, the revenue agency said.
More to come