Cloudflare Leak Exposed Data From Millions of Websites

Web services company Cloudflare recently patched a bug that could have exposed a broad range of customer information like passwords, chat transcripts, and other information stored past millions of websites.

SecurityWatch The bug, discovered by Google security researcher Tavis Ormandy, allowed sensitive data from Cloudflare-powered websites to be cached by search engines, including Google.

"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," Ormandy wrote in a Feb. 19 blog post. "Nosotros're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, information, everything."

Cloudflare powers many popular websites, including Uber, Fitbit, and OkCupid, Forbes reports. But Cloudflare downplayed the issues's bear upon on consumers, explaining in a statement that it had not discovered whatsoever prove of malicious exploits.

"The greatest catamenia of impact was from February 13 and Feb 18 with around 1 in every iii,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that's well-nigh 0.00003% of requests)," the visitor said.

Cloudflare client and password management company 1Password reassured its users that the bug did non put whatsoever of their data at risk. "At the moment, we want to assure and remind everyone that we designed 1Password with the expectation that SSL/TLS can fail," the company said in a statement. "Indeed it is for incidents like this that we deliberately made this blueprint."

Some Uber session tokens were leaked, Forbes reports, which could have compromised some Uber accounts, but the company said those tokens have now been changed and no user passwords were leaked.

Nonetheless, given the potential scope of the vulnerability and the fact that the data could be cached by search engines, experts warned that sensitive data could be strewn nigh many corners of the web. Security researcher Ryan Lackey said the bug is a good reminder to exercise what y'all should be doing regularly anyway: change all of your passwords.

"Other data might be in other caches and services throughout the Internet, and obviously information technology is impossible to coordinate deletion across all of these locations," Lackey wrote in a blog post. "From an individual perspective, this is straightforward—the most constructive mitigation is to change your passwords."