Cloudflare Leaks data from potentially millions of sites. #CloudBleed

 

So when Tavis Ormandy from Google’s Project Zero called out cloudflare last week, it perked my interest. I knew SOMETHING what up. What exactly…no idea. I’m not a genius like Tavis. Tavis discovered a memory leak at cloudflare leaking information  from all sites that use Cloudflare’s service. That’s over two million sites. Not two million passwords…two million websites!

Cloudflare has since fixed the problem…literally hours after the issue was disclosed. What concerns me is that this has been leaking information since September of last year.  Cloudflare has made an official announcement and lessons learned. That’s great. However, what’s concerning is that it’s hasn’t, and probably won’t release a list of all the affected sites. I guarantee many of these sites won’t ever. Some of the more notable sites are:

Uber.com
okcoupid.com
Authy.com
Fitbit.com
account.leagueoflegends.com
4chan.org
patreon.com
medium.com
coinbase.com
Glassdoor.com
Fiverr.com
Adafruit.com

and many many many more…

For a full list of all the compromised and potentially compromised sites, check out this github page or download the full list (22mb).

So what now? Really, it’s better to just go ahead and change all your passwords. That’s right…all of them. Make sure your passwords are UNIQUE and complex. Use a password manager like lastpass, keepass, or if you’re an enterprise organization I hear CyberArk is pretty good. 🙂