Cloudflare has been accidentally leaking user information to any number of potential bad actors, and some of the information was apparently indexed on Google’s search engine. Change your passwords now.
For years, Cloudflare has provided a variety of services, including content delivery, DNS, and protection from DDoS attacks. Its services are widely used by many different companies and websites, though it’s also been criticized for serving as an enabler to online piracy, terrorist organizations (two of ISIS’ three forums in 2015 were guarded by Cloudflare), and other malcontents. Now, the company has announced that a serious flaw in its software may have served account logins and passwords inadvertently. Given how many websites use Cloudflare, that’s a big “Oops.” It’s being called “Cloudbleed” online, in reference to the massive “Heartbleed” bug discovered several years ago.
Cloudflare describes the problem as a buffer overrun, stating that its edge servers “were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.”
SSL private keys were not leaked (good), but the bug was active from February 3 to February 18. During that period, one out of every 3.3 million HTTP requests made through Cloudflare may have leaked data. As the company notes, one in 3.3 million is a very small number — but given the sheer volume of sites and the billions of HTTP requests flowing across the Internet on a daily basis, it’s not that small.