24 Feb Reset Your Passwords! Cloudflare Leak Exposed
Cloudflare, a Goliath Internet protection, and security company revealed it had a bug which leaked sensitive customer data across the Internet. This Cloudflare leak could have been active since September 22nd 2016. Some of the compromised sites include: Uber, Fitbit, OKCupid, and Yelp, with leaked data including sensitive cookies, login credentials, API keys, and important authentication tokens. Obviously, this issue could have larger implications, but according to the CEO of Cloudflare Matthew Prince, this event will likely not impact the average person. Let’s break down what exactly happened to Cloudflare.
What We Know about this Cloudflare Leak
On February 23rd, 2017, Cloudflare announced via blog post that it had identified a security issue, a bug which affected roughly 150 of its customers and leaked potentially millions of passwords. Thereby, leaving the Internet asking how the very thing intended to protect them had managed to do exactly the opposite. Anyone who noticed the error had the ability to temporarily extract a variety of personal information that should be held under encryption. An engineer at Google named Tavis Ormandy who was the first to identify the bug, and subsequently label it “Cloudbleed,” claims the company has downplayed the severity of this leak in their blog posts. Moreover, highlighting that much of the Internet sits behind a Cloudflare Content Delivery Network, and millions of known passwords were leaked.
What This Means For YOU
Former Cloudflare employee and security researcher Ryan Lackey suggests users take ‘standard security hygiene measures’ and update their passwords or enable two-factor authentication. His reasoning is similar to that of Ormandy, this leak has been open for a potential window of six months, and due to the nature of the Internet, the information is likely available to those with the intention of finding it.
Ultimately, this shows how critical Cloudfare is to the Internet, and how important it is that bugs are identified internally. A similar incident could potentially compromise large portions of the Internet and entire global corporations if it were more extreme. Looking to the future of Internet security, this Cloudflare leak is something for the company and hopefully the entire online security community to learn from.