A Massive Data Leak Just Compromised a Zillion Passwords, Possibly Yours
Hide yo kids, hide yo wife, change your password
Ah, another day, another security leak.
This past Thursday, Cloudflare, a web optimization and security company you probably never heard of until right now, announced it accidently leaked user data from thousands of sites that use its service. What’s worse: it appears they could have unknowingly been dumping sensitive info across the Internet since September of 2016.
For the uninitiated, CloudFlare is an internet proxy server that protects websites from malicious attacks. Serving more than 5.5 million sites, the spilled data included “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” according to Tavis Ormandy, the Google Project Zero security researcher who reported the leak last week.
Could someone from cloudflare security urgently contact me.
— Tavis Ormandy (@taviso) February 18, 2017
Cloudflare quickly responded, outlining in detail that the leak was caused by a “buffer overrun.” So, good news: the culprit for the leak was a bug. Nothing actively malicious.
But here’s the major problem: the information was cached by search engines like Google, Bing, Yahoo and others. As Forbes outlines, since Cloudflare typically hosts content from different sites on the same server, one vulnerable website could reveal information about a separate, unrelated CloudFlare site.
So what kinda info are we talking about? From Ormandy: “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
At the time of writing this, Cloudflare has yet to release an official list of sites affected by the bug. But given the scope and cache issue, it’d be wise for you to change your passwords ASAP.
A list of high-profile sites have been collected over on GitHub, and includes Uber, OkCupid, ProductHunt, Yelp and BitPay.
This article was featured in the InsideHook newsletter. Sign up now.
Suggested for you