A software bug has caused a major data leak, putting encrypted personal data in the public domain. If you use the internet, this could affect you – please keep checking the relevant lists. Cloudflare, the website hosts with the issue, have said that there is no sign of hackers exploiting the vulnerability or the data at this stage. Cloudflare has been working closely with Google to remove the data from search results.

The best advice at this stage is to change your passwords. Sitting and changing all your passwords is not fun, but it could save you from having your data compromised.

GitHub explains what you should do –

Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all cloudflare proxy customers were vulnerable to having data leaked, it’s better to be safe than sorry.

Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), you should probably change all your important passwords.

Please click through to read more.

GitHub also has a list of websites that are possibly affected, which comes with this disclaimer –

This list contains all domains that use cloudflare DNS, not just the cloudflare proxy (the affected service that leaked data). It’s a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.

Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I’m compiling an unofficial list here so you know what passwords to change.

Click through here to see which websites you should definitely change your passwords for. You can download the full list – as of Friday morning, the tally currently stands as 4,287,625 sites.

You may find this website useful – http://www.doesitusecloudflare.com/

Beyond the personal impact, this could put clients at risk of extortion and cyber-crime. If you believe your services have been impacted by the Cloudflare leak and do not know what to do, contact experts for advice.

From Reuters

Bug causes personal data leak, but no sign of hackers exploiting: Cloudflare

Some of this data included “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings” as well as cookies, passwords and software keys, Google security researcher Tavis Ormandy, who discovered the bug, wrote in a forum on Feb. 19. 

Ormandy also wrote on Twitter that data from ridesharing service Uber [UBER.UL] and cloud password company 1Password had been leaking. Uber declined to comment, while AgileBits, the maker of 1Password, denied in a blog post on Thursday that any personal data had been compromised. 

Please click here to read more.

AgileBits put out a statement explaining why their customers’ data is safe and the steps they have put in place to guarantee this –

No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.

We will provide a more detailed description in the coming days of the CloudFlare security bug and how it (doesn’t) affect 1Password. At the moment, we want to assure and remind everyone that we designed 1Password with the expectation that SSL/TLS can fail. Indeed it is for incidents like this that we deliberately made this design.

Please click here to read more.

The Register offers an explanation for those of us who are less technically inclined –

Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug

For example, Cloudflare hosts Uber, OK Cupid, and Fitbit, among thousands of others. It was discovered that visiting any site hosted by Cloudflare would sometimes cough up sensitive information from strangers’ Uber, OK Cupid, and Fitbit sessions. Think of it as sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you’re also handed the contents of the previous diner’s wallet or purse.

This leak was triggered when webpages had a particular combination of unbalanced HTML tags, which confused Cloudflare’s proxy servers and caused them to spit out data belonging to other people – even if that data was protected by HTTPS.

Please click here to read more.

Like what you read? Sign up here for our free Daily Updates.

We also send out a Weekly K+R Update, bundling together all the kidnap, ransom and extortion news of the week in one easy to read newsletter. (Same form – options at the end.)

 Other ways to stay up to date:

Follow and subscribe!

Follow us on Twitter, LinkedIn, and Facebook. You can also subscribe to our free newsletters - the Daily Updates and the Weekly K+R Update.