Cloudbleed, an Information Leak Bug from Cloudflare

Being proactive and taking precautions now can help minimize risk. Learn some initial steps.

February 24, 2017
Bill Fitzgerald Director, Privacy Initiative

CATEGORIES Privacy Evaluation Initiative

Yesterday, Cloudflare disclosed a fairly serious bug that had been leaking user data since September 2016. While there are no known cases of this data being exploited, people using affected sites should change their usernames and passwords.

Cloudflare is a widely used service provider for performance, security, and scalability services. Most of us encounter multiple sites running Cloudflare each day and never know it because Cloudflare generally supports infrastructure that is not visible to most users on websites.

Not every site that uses Cloudflare is affected, but the sites that were affected were leaking sensitive information -- including authentication information -- for months. Again, there have been no reported cases of this information being exploited, but people are still advised to take precautions.

Affected sites include larger sites such as OKCupid and Uber, but given the widespread use of Cloudflare, it's likely that some edtech providers were affected by this issue as well.

  • This site lets you check individual domains to see if they use Cloudflare.
  • This page has a list of all sites affected (it's a pretty long list).
  • This story from Ars Technica gives a good write-up on the issue.
  • This is the breach notification from Cloudflare.
  • For those who want all the gory details, click here for a summary write-up by the person who discovered the bug.

If you have an account at a site that is affected by this issue, change your password. If you use one of the larger sites affected by this issue (such as Uber, Yelp, Medium, OKCupid, and 23andMe), change those passwords immediately. If you have reused a username/password combination on any of these sites, all reused passwords also should be changed (and if you're reusing passwords, stop! Get a password manager!). If you're unsure whether or not a site you use is affected, especially in an educational setting, ask tech support staff in your school or district or contact the vendor directly.

It's worth reemphasizing again that, as of today, there have been no known cases of any information revealed by the Cloudflare bug being misused. However, we strongly recommend caution. The 10 to 15 minutes you will spend updating passwords -- or the 30 minutes you will spend getting started with a password manager -- is a lot less time and hassle than reassembling the pieces of your digital life if one or more of your accounts gets compromised.


Share your thoughts