The change your password mantra continues.
Thanks to a security flaw in Cloudflare, potentially sensitive customer data was randomly leaked across the internet over the course of the last five months or so, according to this story from cnet.com.
Cloudflare is an internet infrastructure company that provides security services to millions of websites, including popular services like Uber, Fitbit and OKCupid.
The company admitted to the flaw on Feb. 23.
It was first uncovered on Feb. 17 by Tavis Ormandy from Google’s Project Zero, which investigates vulnerabilities. The report has been made public and you can read it here.
The flaw could have been leaking data since mid September 2016.
While numerous news sites covered the issue, Wired.com did a good job of explaining how the flaw worked in this story.
“In certain conditions, Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid—onto the website of a smaller subset of customers. In practice, it meant that a snippet of information about an Uber ride you took, or even your Uber password, could have ended up hidden away in the code of another site.”
A ‘Serious’ Bug
Cloudflare’a CTO John Graham-Cumming published a very detailed blogpost about the incident:
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” according to Cloudflare. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”
From what experts can gather, the data wasn’t posted on high traffic sites, or in ways that were easy to see, but the data that was leaked included sensitive information, like login credentials and authentication tokens.
Thankfully Cloudflare worked swiftly to fix the bug.
According to Graham-Cumming, they pushed a preliminary fix less than an hour after learning about the problem; a permanent fix was delivered in under seven hours.
Part of what made the bug so serious is because it was cached by search engines. Cloudflare is working with search engines like Google and Bing to scrub the data.
What You Should Do
Security researcher and former Cloudflare employee Ryan Lackey was interviewed for the Wired.com story. He suggests changing every password for every online account since the leak could have exposed anything.
“Taking standard security hygiene measures like updating passwords and enabling two-factor authentication is always the best first line of defense. And since this Cloudflare bug has such unpredictable results, it’s smart to protect yourself even though you may not have been specifically exposed,” according to the Wired.com story.
At this point, you might as well set a permanent calendar reminder to change your passwords regularly.
Are you covered for identity theft?