You’ve probably never heard of Cloudflare, a web hosting company that provides security services, but chances are high that they know you. Big name companies such as Uber, OKCupid, and FitBit use Cloudflare’s tech management services. On February 17, a Google Project Zero engineer discovered the leak in Cloudflare’s code. One out of place character (= instead of >) caused the data of millions of people to leak (bleed) on to the internet. We don’t know yet if hackers have exploited the security hole (Cloudflare says no), but the leak dates as far back as September 2016.
What should you do? First: change your passwords. See the full list of affected sites here, but, trust us, there’s a good chance that you have an account on one or more of the sites. Even if you don’t, your data could still be compromised because a user from a Cloudflare-supported site may have visited the same websites as you. Security advisors are finding everything from private messages to credit card information.
For what it’s worth, Cloudflare’s software worked the right way; the leak was triggered by a human error. In plain English, the location storing private info got full and, because of a coding error, the data was moved to other websites. Major search engines like Google cached the data, which means it could be available from millions of different locations.
Since the leak was first reported on February 23 (last Friday), Cloudflare has posted multiple updates about recovering client data and patched leaks. But the sheer number of leak locations means it will take time to patch all the sites.
When you change your passwords, go ahead and enable two-factor authentication if it’s offered. Then sit back, monitor your accounts, and join us in hoping that no one discovered the leak ahead of the good guys.
703.715.4960 Tech Support