What is Cloudbleed?

A bug in Cloudflare’s code dubbed Cloudbleed has recently exposed confidential information such as messages from dating site, emails, healthcare information, and passwords for websites they host. On February 19th 2017, Travis Ormandy (security researcher at Google’s Project Zero) reported a bug in Cloudflare’s code. As of February 23rd Cloudflare has patched the issue and released an official incident report on their blog. Unfortunately the leaked data had time to be publicly cached in search engines like Google, Bing, and Yahoo, who have since scrubbed the leaked data. However other search engine caches such as DuckDuckGo, and services that mirror these public caches exist make it nearly impossible to delete the leaks completely from the Internet.

Who is affected?

In total there are 4,287,625 domains that are potentially affected by the Cloudbleed flaw in the five months (9/22/16 – 2/20/17) Cloudbleed went undetected. Affected websites include Uber, Yelp, OkCupid, Patreon, Digitalocean, Glassdoor, and Fitbit. A complete list can be found here. Additionally mobile security firm NowSecure has reported a list of 200 iOS apps that may be affected as well.

What can you do about the Cloudbleed bug?

It is highly suggested that internet users change the passwords to their accounts, especially if they use the same password across multiple sites. It is also suggested that two-factor authentication is used when available. Websites such as lastpass and 1password can be used to maintain secure passwords across all sites.