You Should Change a Lot of Your Passwords Right Now

The data that was leaked also includes sensitive personal data.

The bug, which has been dubbed “Cloudbleed”, was actually first discovered by Travis Ormandy, a Google Project Zero vulnerability researcher, on February 17.

Cloudflare, for its part, responded to the problem quickly and has since taken down the affected services in order to restore security to its users. This was done to illustrate the bug’s impact.

The reason for the name Cloudbleed is that there are a number of similarities with the Heartbleed incident which exposed sensitive data in memory on the server when using OpenSSL.

So let’s say a page on OkCupid had bad code. As shared in a tweet by Ormandy this week, that data also included private dating site messages from OKCupid, full messages from a “well-known chat service”, passwords from password managing apps like 1Password, and more (via Fortune). What we would really like to know is: does [Tavis] get the t-shirt or not? The services require you to remember just one master login while providing a random string of characters as your password for individual sites and services.

Cloudflare is a popular content delivery network that effectively acts as a sort of digital shield, a proxy that offers millions of websites DoS protection and other services. The bug had existed since September. After spotting Ormandy’s Twitter message, CloudFlare engineers disabled three features that used the broken code that caused the issue, and moved to work with search engines who had cached the information to clear it. All the caches have not been fully removed yet.

Cloudflare CTO John Graham-Cumming said users don’t need to worry about changing their passwords because there is a very low chance that their login information would be found. They will continue to investigate whether anyone exploited the issue before Ormandy discovered it. The hole was open for about five months, although the company said in its blog post on the bug that the greatest exposure was between February 13 and February 18. It’s one company that underpins a lot of the web activity people use every day. He could then easily replicate the process to guarantee that sensitive information would be returned.

Caution is warranted, though.

Lackey says site operators should require their users to change their passwords but that comes with drawbacks like lost customer trust or account deletion. Cloudflare has provided a detailed timeline of the issue, showing just how fast the company was able to respond to the issue and move to protect customers.

Fortunately, Cloudflare customer SSL private keys were not leaked and the firm has not discovered any evidence of malicious exploits of the bug or other reports of its existence yet. An Uber spokeswoman said “only a handful of session tokens were involved and have since been changed”. At the same time, another problem popped up as search engines had already cached some of the leaked information. “But the practical consequences are not huge”.