You may not be familiar with Cloudflare, but it’s one of the world’s largest internet security companies, and it’s responsible for protecting huge companies like Uber, OKCupid, and FitBit. In an ironic turn of events, it managed to do just the opposite in a leak of private user data that’s been dubbed “Cloudbleed.” A vulnerability in their code was pushing out passwords, usernames, private messages, and other information you’d never want to fall into the hands of total strangers.
Thankfully, Tavis Ormandy, a security researcher with Google’s Project Zero, found the vulnerability. He contacted Cloudflare on February 17th, and the company acted quickly to fix the bug. The damage had already been done, though—and at this point, it’s still not clear how far-reaching it is.
“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” wrote Ormandy while sharing details of what he was uncovering. “We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
Cloudflare posted details about the bug on its website to be transparent about the less-than-favorable situation. It noted that it believes the “greatest period of impact” was February 13 through February 18, but that the earliest leak could have occurred on September 22, 2016.
Search engines were caching leaked data, and because content from different Cloudflare sites can be hosted on the same server, some websites were revealing information from a different Cloudflare site.
“For example, you could have visited a page on uber.com, and a chunk of memory from a previous request/response to okcupid.com would be returned,” explained Pen Test Partners whitehat hacker Andrew Tierney, speaking with Forbes. “This sensitive data could have been returned to anyone. There was no need to carry out an active attack to obtain the data—my mum may have someone else’s passwords stored in her browser cache just by visiting another Cloudflare fronted site.”
Were You Affected by Cloudbleed? Here’s What to Do
While this leak is quite a mess, you’re undoubtedly wondering if or how it may impact you.
Currently, it hasn’t been revealed which exact websites were affected, and customers haven’t been notified. There’s a list on GitHub, however, that contains more than four million Cloudflare domains that were possibly part of Cloudbleed.
Keep in mind that every domain that uses Cloudflare DNS is listed, but it was Cloudflare proxy that leaked data. Not all domains on the list were compromised, but at this point, no one has zeroed in on all of the affected sites.
Take a look at the list—which contains websites like Yelp, Uber, Medium, Zendesk, 4chan, 23andme, and Glassdoor—and see if there are any domains you know you have an account on. It can take a while to scan through over four million domains, but GitHub also lists some of the more notable sites that could have leaked information to make your job easier.
Once you’ve identified websites that you use, go into your individual accounts and change your password. It’s hard to know what has already been leaked out from your account, but you can take back control by changing the login information.
As we wait for the full scope of Cloudbleed’s damage to unfold, you may want to consider signing up for an identity theft protection service like IdentityForce. You can’t be sure if your information was exposed, and who may have seen it, so it can provide invaluable peace of mind to know security professionals are watching over your identity 24/7.