Security company Cloudflare have revealed that a leak of sensitive data (nicknamed ‘Cloudbleed’), which was made possible by a bug in their code, could mean that many users of popular services may need to change their passwords.
A bug in the code of California-based Cloudflare’s software appears to have leaked data from perhaps as many as four million domains of the six million websites that using Cloudflare’s performance enhancement, SEO and security services.
Any requests to websites with the HTML rewrite features enabled, triggered the software bug, which then leaked personal data from any other Cloudflare proxy customers that were in memory at the time, to random requesters.
What Kind of Data Was Leaked?
The kind of personal customer data that was leaked included session tokens, passwords, private messages (perhaps including private messages sent on dating sites), API keys, and possibly even credit card details. The full scope of the leaked data is not yet known.
When ... and For How Long?
The problem, which was discovered and reported by Tavis Ormandy (a Google researcher), resulted in data being leaked (accidentally) over the last six months by data-crawlers and regular website users downloading files and visiting sites. The worst period for the leak is thought to have been between February 13th and February 18th. During this time, it is believed that a memory leakage took place for 1 in every 3,300,000 HTTP requests through Cloudflare.
Although the leak itself was bad enough, it has been compounded and made much more difficult to clean up because:
Popular Websites Affected.
Data from many popular websites is believed to have been leaked. Websites affected include Uber, Fitbit, Ok Cupid, and Yelp.
Do Hackers Have The Leaked Data?
Security commentators say that, to this point, there is no evidence to suggest that the data has fallen into the wrong hands or is being used by hackers.
What Does This Mean For Your Business?
The advice from security commentators is to first check whether details of you / your business may have been leaked by checking the list of domains for that appears to have been affected by the Cloudflare leak. These domains have been posted online here: https://github.com/pirate/sites-using-cloudflare
Other actions that you can take include: