Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.

For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.

The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.

My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.

The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.

What should you do?

If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.

If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.

The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.

References

• Analysis from the Wordfence blog
• Hacker News coverage of the issue
• Cloudflare incident report
• The original report from Google Project Zero
• Unofficial list of affected sites

Update 2017Feb25: Sites and services potentially affected by this issue are assessing the damage and announcing their findings. Email provider FastMail uses Cloudflare “to serve domain name information only, which does not contain any sensitive or personal customer data. … your information is safe, and it is not necessary to change your password.”

SANS weighs in.

Update 2017Feb26: Technology blog TechDirt uses CloudFlare. The site’s operators have reset all user passwords as a precautionary measure.

Update 2017Feb27: Web browser developer Vivaldi analyzed their systems and services in response to this news, and responded by invalidating vivaldi.net browser sessions and invalidating potentially affected user passwords.