Cloudflare -- a multibillion-dollar internet and data security company with upwards of 5.5 million clients from small websites, to media organizations, shopping sites, and popular apps -- was apparently exposed to a major data leak for months, the company said yesterday. Cloudflare has since reportedly patched the leak, which digital security types are calling "Cloudbleed" (after Heartbleed, a 2014 leak), but not before a wealth of user data was compromised.
It's not yet clear what the extent of the damage is, but according to Tavis Ormandy, the Google security researcher who identified the problem, the Cloudbleed bug affected -- at minimum -- "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," and more.
"We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything," he wrote. (The HTTPS part is a big deal because the "S" in that part of a website's URL web address is supposed to stand for "secure," designating a protocol that in theory prevents stuff like this from happening to that site. Nonetheless, the leak still affected sites and services using HTTPS.)
Cloudflare responded to Ormandy's discovery of the leak with a very long, in-depth blog post, in which the company says, "the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage."
Crucially, even though the breach was fixed, as Gizmodo pointed out, at least some of the data "was able to be cached by search engines. Once indexed, nefarious types may have scraped and stored that data." So you should really change your passwords, like, right this second. Unfortunately, Cloudflare hasn't yet released an official list of sites compromised, but a GitHub user named Nick Sweeting identified more than 4 million sites that could be at risk after scraping and cross-referencing Cloudflare data from a few different data dumps. Sweeting published it with a bold disclaimer that there are no guarantees any of them are affected.
Below are some of the more notable sites Sweeting listed. You'll definitely want to use the Find (Ctrl or Command + F) function or scroll through the full page to look for sites you care about, including any seedy and dubiously legal file-streaming services and porn sites, as plenty in both categories made the cut. We'll update this with an official list if and when Cloudflare releases one:
- curse.com (and some other Curse sites like minecraftforum.net)
* Some of these services possibly affected -- like Authy.com -- might be essential tools for two-factor authentication on other sites. That raises the stakes on any password-changing steps you take to secure those accounts. The solution: Change the password to every account attached to that service and revoke their authorization tokens just to be safe.
* A list of confirmed affected Cloudbleed domains has also been published, by GitHub user Dorian who writes "are the ones that had public leaked data even after the disclosure." None of the domains on that list have the kind of Internet footprint Sweeting listed on his "notable" list, but they're worth looking at all the same.