Cloudflare -- a multibillion-dollar internet and data security company with upwards of 5.5 million clients from small websites, to media organizations, shopping sites, and popular apps -- was apparently exposed to a major data leak for months, the company said yesterday. Cloudflare has since reportedly patched the leak, which digital security types are calling "Cloudbleed" (after Heartbleed, a 2014 leak), but not before a wealth of user data was compromised.
It's not yet clear what the extent of the damage is, but according to Tavis Ormandy, the Google security researcher who identified the problem, the Cloudbleed bug affected -- at minimum -- "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," and more.
"We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything," he wrote. (The HTTPS part is a big deal because the "S" in that part of a website's URL web address is supposed to stand for "secure," designating a protocol that in theory prevents stuff like this from happening to that site. Nonetheless, the leak still affected sites and services using HTTPS.)