Potentially sensitive data, including user passwords, may have been leaked after a bug was discovered in the code used by Cloudflare, a web services and security company that protects million of websites.
According to Tavis Ormandy, Google’s security analyst of team Project Zero, the vulnerability supposedly left user data exposed since last September, affecting websites such as pastebin.com, medium.com, uber.com, and yelp.com, among others.
The bug, dubbed Cloudbleed, is being compared to another biggie from 2014, known as Heartbleed, a security bug in the OpenSSL cryptography library. Apparently, Cloudflare’s platform was said to have been inserting random data, such as passwords, from its websites onto other websites, which may have ultimately been cached by search engines.
Cloudflare says it has not discovered any evidence of malicious exploits of the bug, but it’s probably worth changing your passwords just to be safe. Unfortunately, it’s unclear just how many sites have been affected.
Change your passwords now!
There’s an unofficial list going around on Github with a list of sites that may have been compromised, and it is long. Just because a site is on the list, however, doesn’t mean it was compromised.
If you want a more technical explanation of what caused the bug and how it was fixed, Cloudflare CTO John Graham-Cumming wrote an extensive blog post detailing what happened. According to Graham-Cumming, the greatest period of impact occurred between February 13 and February 18, just last week.
The good news is that after the bug was brought to CloudFlare’s attention, it was squashed quickly. But, just to be safe, you should probably change your passwords.
Below is a partial list of potentially affected sites: