It looks like Cloudflare has been suffering from a bug recently, causing the passwords, cookies and tokens used to authenticate users by millions of sites to leak. Cloudflare is a security and performance tool that is used by 5.5 million websites, including big names like Reddit, Discord, Patreon and more. However, due to a myriad of factors, a bug has been present over the last five months.
First traces of the security flaw date back to the 22nd of September but the greatest impact came between the 13th and 18th of February, which is when the bug became more widely known. Cloudflare has fixed the issue but unfortunately the bug was active for so long that hackers will have already had plenty of opportunity to access user data by making web requests to affected websites.
Image Source: Hacker News.
Writing in a blog post published yesterday, Cloudflare CTO, John Graham-Cumming explained that “the bug was serious because the leaked memory could contain private information and because it had been cached by search engines”. However, the company is “satisfied that search engine caches have now been cleared” and no more malicious exploits remain.
Google’s Tavis Ormandy released his own response to this security breach, criticising Cloudflare for ‘downplaying the risk’ involved in this breach. Users on GitHub have put together a long list of sites and services that use Cloudflare, so if you want to know if you need to change your password for anything specific, then you can find the list, HERE.
KitGuru Says: This is a pretty major leak so it is well worth checking if any of your accounts could have been compromised. Change passwords, use two-factor authentication and stay safe out there.