Some of the most popular websites in the world have been leaking user data onto the web. The leaked data includes passwords, cookies, encryption keys, and private messages. The scale of the problem isn’t yet clear, but the advice, as always, is to change your passwords. All of them.
A coding error means websites using Cloudflare have been leaking user data onto the web, potentially for months. This user data will have appeared along the bottom of web pages alongside jumbled text. And while there is no evidence yet that this data has been used maliciously, it remains a small but distinct possibility.
Google Rides to the Rescue
Cloudflare, a web optimization and security company which looks after millions of websites, has been leaking user data onto the web thanks to a bug in an HTML parser chain. When the parser was used in conjunction with other features, the Cloudflare servers leaked random data onto the web.
This bug was recently discovered by Google security researcher Tavis Ormandy while he was working on a corpus distillation project. It came to light between February 13 and February 18th as Cloudflare was migrating to new software. After determining the source of the leak, Ormandy contacted someone at Cloudflare, which then set about fixing the issue.
Cloudflare CTO John Graham-Cumming has since detailed the incident in a long blog post delving into every aspect of what happened. The upshot is Cloudflare has fixed the underlying issue, and worked with search engines to try and remove the cached versions of affected web pages.
You Should Probably Change Your Passwords
There’s a long list of websites potentially caught up in this mess, which has unofficially been dubbed “Cloudbleed” in honor of Heartbleed. Potentially affected websites include Patreon, OKCupid, Uber, Yelp, 4chan, and Fitbit. If you actively use any of the websites on this list you’re advised to change your passwords immediately.
Are any websites you use regularly caught up in this Cloudflare data leak? How are you going to react? Are you likely to change all, some, or none of your passwords? Who should be held accountable for this bug? Please let us know your thoughts in the comments below!
Image Credit: Jim Bauer via Flickr