Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.
For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.
The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.
My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.
The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.
What should you do?
If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.
If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.
The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.
- Analysis from the Wordfence blog
- Hacker News coverage of the issue
- Cloudflare incident report
- The original report from Google Project Zero
- Unofficial list of affected sites