Hostwinds Blog

Search results for:


Cloudflare Leak Security Breach: Change Your Passwords Now

by: Hostwinds Team  /  March 1, 2017


Tags: CloudFlare, security 

A tiny bug in Cloudflare's code allowed sensitive data to be leaked and cached by search engines. The data included passwords, cookies, API keys, personal messages, IP addresses, and more. This Cloudflare leak is being called Cloudbleed, and it's a single character in the code that's ultimately to blame.

Working with the Project Zero security team, Google's Tavis Ormandy discovered the vulnerability and notified Cloudflare. Cloudflare was swift to react. A fix for the leak was in place within the hour and wholly patched 7 hours later. And Google went to work clearing private information that had been cached. However, the data leaks started in September of last year, so the amount of information leaked and whether the bug was found and exploited is unknown.

Which sites were affected by Cloudbleed?

A few popular sites using Cloudflare that may have been affected by Cloudbleed are Uber, FitBit Medium, Feedly, and OkCupid. Click To Tweet

A few popular sites using Cloudflare that may have been affected by Cloudbleed are Uber, FitBit Medium, Feedly, and OkCupid. Many mobile apps may have been affected, too. Ormandy said some of the information he found was data from an online password manager, hotel reservations, dating site private messages, and more.

Cloudflare has been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OkCupid, etc. https://t.co/wjwE4M3Pbk

— Tavis Ormandy (@taviso) February 23, 2017

Reports are that the bulk of this Cloudflare leak happened from February 13 through February 18. Nearly 3,500 domains were affected, including 150 customers of Cloudflare. But still, the leaks only occurred once per 3,300,000 HTTP requests. The public disclosure of Cloudbleed was only done after search engines had a chance to clear caches.

The bulk of Cloudbleed leaks happened Feb. 13 - 18. Nearly 3,500 domains were affected, including 150 customers of Cloudflare. Click To Tweet

Be proactive about your security

This goes to show that even the most prominent players and security professionals can mess up. It would be best if you did everything possible to secure your data on your end with strong, often-changed passwords. And use two-factor authentication whenever you can. With the number of sites this affected, now is an excellent time to update your password and two-factor authentications.

If you use Cloudflare for your site, security professional Ryan Lackey says you might want to force users to change their passwords.

If you use LastPass, here's how you can automatically update your passwords.

While not a definitive list, here's a list of sites that potentially may have been affected.

Concerned about whether specific sites use Cloudflare and may have been affected? You can use this tool to find out.

If you've found this helpful, please share!

We'll add any new tools or lists of sites affected by this Cloudflare leak to this post. In the meantime, if you know of something else that would be helpful, please let us know in the comments below so we can add it, as well.

Written by Hostwinds Team  /  March 1, 2017

Need help? Chat now!