Change Your Passwords: A Massive Web Leak Has Occurred
Add “change all passwords” to your to-do list for today. As Gizmodo reports, a tiny bug in its code caused Cloudflare—a content delivery network and web security service provider used by nearly 6 million websites—to experience a serious memory leak. Dubbed “Cloudbleed” (in reference to infamous 2014 Heartbleed bug), the leak exposed sensitive user data for months before security teams discovered and fixed it.
Leaked data included "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," revealed Tavis Ormandy, a Google security researcher who discovered the issue. "We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything." According to Cloudflare, the time of greatest impact was between February 13 to 18, although the earliest data leak can be traced back to September 2016.
Ormandy discovered the leak around a week ago. (You can learn how Cloudbleed was caused, how Ormandy noticed it, and how programmers fixed it by reading a blog entry posted by Cloudflare.) Aside from what the company’s announced to the public, details are still fuzzy—but as Gizmodo points out, what should really worry us is that search engines may have cached user data, and malicious Internet users may have obtained and stored the indexed information. Search engines like Google, Bing, and Yahoo were busy at work clearing cached data from the breach before news of Cloudbleed went public, but some of that stored data is still present, 9to5Mac reports.
There’s no official list of sites that were compromised, but Gizmodo compiled a preliminary list of ones that may be at risk, according to a Github user in the know. They include medium.com, 4chan.org, change.org, petapixel.com, and more. OkCupid and Uber were also reportedly affected, though both companies have released statements saying their user data is likely safe.
You can view the full list of potentially vulnerable sites here.
[h/t Gizmodo]