CloudBleed: Change all your passwords immediately

Due to a Cloudflare source code bug, a lot of sensitive user information may have been leaked on the internet. The biggest affected sites are Uber, Fitbit, 1Password and OkCupid, but it is estimated that over 4.2 million domains were using CloudFlare.

So, user passwords, sensitive information and crypto keys may have been out there in the wild. Google, Yahoo and Bing worked on scrubbing the data, in order to protect users against hackers, but tech guys still find samples of leaked data in search engine caches. According to Hector Martin, you can still find authentication cookies for sites affected by the bug and these cookies still work.

This was discovered by Google’s security researcher Tavis Ormandy, but the bug was there for at least 5 months. The GitHub user Pirate has compiled a full list of all the sites that use Cloudflare’s services and there is also the DoesItUseCloudflare tool that permits the users to insert the website’s domain and check if it uses Cloudflare services or not.

The best way to prevent data loss is to change all your passwords on sites that uses Cloudflare’s services and enable two step authentication methods where possible.

Leave a Reply