Technology is sometimes our greatest ally, sometimes our greatest foe and in this case here, it is our foe.
Late Thursday it was uncovered that a bug had randomly leaked sensitive customer information online from internet infrastructure company, Cloudflare, who specialize in web performance and security. Google vulnerability researched Travis Ormandy discovered the flaw on February 17, but said this could have all started back on September 22 of last year. Meaning random customer data from places like Uber and OKCupid could’ve been embedded in another website’s code. That data ranges from sensitive cookies, login information, API keys, and a whole lot more that included the internal cryptography keys of Cloudflare itself.
In a bit of good news for this situation, the leaked data appeared to not be posted on sites that are well known or regularly experience high traffic. Even if they had ended up on there, they wouldn’t exactly be easy to find really. However the data was recorded in the caches of online search engines.
CTO of Cloudflare John Graham-Cumming laid it out in a blog post on Thursday saying, “Because Cloudflare operates a large, shared infrastructure, an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.”
Thankfully the flaw was permanently patched across all its systems around the world in under seven hours. They also worked with Google and other online search engines to scrub the caches and get back the leaked data.
All in all a total of 3,000 customers were hit by this since they used certain HTML and particular Cloudflare settings on their sites.
As per usual this situation it is of course highly recommended that you change all your passwords in order to better your online security, as suggested by Ryan Lackey, security researcher and a former employee of Cloudflare.
Are you a Cloudflare customer? How many times have you needed to change your online password? Let us know in the comments below!