Computer users urged to change passwords after massive data leak

Posted February 25, 2017

There's a very, very small chance that any sensitive information, including passwords, you've given to websites that use Cloudflare - and many do - may have been released to the Internet as a result.

Cloudflare has published a post-mortem on the bug, which may have been active since mid-2016. Another major concern was that CloudFlare typically hosts content from different sites on the same server, so a request to one vulnerable website could reveal information about a separate, unrelated CloudFlare site. Given how many websites use Cloudflare, that's a big "Oops".

Still, it's an extremely important company for the infrastructure of the internet. They noticed unusual data that was coming up from websites using Cloudflare. Also, anyone with website admin credentials should change them immediately. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.

The security hole came in Cloudflare's HTML parser, which instead of just parsing HTML also injected extra code.

While it appears nobody has exploited the data, one of the largest difficulties for Cloudflare has been cleaning up the mess that was created. Under these circumstances "Cloudbleed" seem to be the flawless name for this situation.

Cloudflare provides a timeline on its blog, where it confirms that the minor features were re-enabled worldwide. The company then soon took the step of working with search engines to clear the data that have been cached. That's how Google got involved.

Fatal drug overdoses in United States on the rise, CDC says
In Wisconsin, policy makers launched an opioid task force and facilitated lower prices on an anti-overdose drug. In 2015, the percentage of drug overdose deaths involving heroin (25%) was triple the percentage in 1999 (8%).

Katy Perry takes dig at Trump, Theresa May during Brits show
I warned you that things got really weird really fast. "Bring back 90's era Brits, when pop stars had personalities", one said. One viewer quipped on Twitter: "An artistic impression of the housing market beginning to crash because of hyper-inflation".

FlyBe aircraft veers off runway after landing gear failure
The incident took place following the flight's arrival at Amsterdam's Schiphol Airport on Thursday afternoon. Airports across the United Kingdom have been affected as Storm Doris batters the country with heavy winds.

CDN and security provider Cloudflare has been leaking data from its TLS connections, Google researcher Tavis Ormandy has discovered - and despite his best efforts the flaw is now known as Cloudbleed. The content delivery network has acknowledged the issue and said it has fixed the underlying problem. These are not things that should be publicly accessible, even through complicated technical maneuvering. That memory might have contained sensitive data, like passwords or private communications.

Among what Google observed was what Prince referred to as Cloudflare's "NSA key". "Other data might exist in other caches and services throughout the Internet". "We always internally called it the "NSA key" because if the NSA was sitting on a piece of fiber connecting two of our data centers", Prince said, "this was the key that kept that data from being listened in on".

After reading the post on CloudFlare's website, Ormandy commented that "It contains an excellent postmortem, but severely downplays the risk to customers".

According to Cloudflare's blog post, the real threat to users came as a result of some of that information being captured by search engines. All of this data is usually encrypted, and if someone were poking around, they could have gotten a lot of user information. "Cloudflare customers are going to need to decide if they need to rotate secrets and notify their users based on the facts we know". Still, Prince readily admitted that "it could have been extremely bad".

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

As you can see, the list is absolutely massive. Because Cloudflare serves billions of pages each day, the number of leaky pages added up to about 120,000 a day, the company said.