It’s once again time to change your passwords. Last week a bug referred to as ‘Cloud Bleed’ was reported by internet infrastructure company, Cloudflare.
You might not be familiar with Cloudflare itself, but the company’s software is running on 5.5 million websites, including some of your favorite services like Uber, FitBit, OKCupid and password management program 1Password.
The vulnerability has been leaking personal data – including passwords, personal information, private chat logs and cookies all over the Internet. The bug may have been active since September 2016, but researchers have confirmed it was active for certain from February 13 until it was discovered on February 18.
The fact that Cloudflare is a security company makes this new vulnerability ironic. After all, countless companies pay Cloudflare to help keep their user data safe.
If you're using Cloudflare services in front of your website, this has the potential to impact you as the bug could have exposed sensitive data that flowed between your back-end servers and end-users via CloudFlare's proxies. You should take action on this right away by contacting Cloudflare support and your other IT providers.
This is yet another reminder that you should never rely on any single security method to protect your web assets.
Even if you don't use Cloudflare directly, there is a chance that websites you visit and web services you use could have exposed your private data. While the leak has the potential to be very dangerous for web users, there is no evidence that the data leaked was accessed by hackers.
It’s recommended to change ALL passwords on all of your sites right away. If you’re concerned about a specific site in particular, www.doesitusecloudflare.com has been set up to give you immediate answers.
Cloudflare has provided a thorough incident report on its blog, which explains in depth what caused the bug and how it was fixed, so if you want to learn more about it you can check out this official post.