Get ready to change all your passwords again.
A huge new memory leak from web services company Cloudflare may have left data from thousands of domains exposed, including some very high-profile sites. Cloudflare says it fixed the problem, which was caused by a bug known as Cloudbleed, but not before users’ sensitive data got cached by search engines.
Google security analysts Tavis Ormandy discovered the security flaw. Details on how Cloudbleed got found and fixed can be read in a long blog post by Cloudflare.
Information on the Cloudbleed bug was reported to Cloudflare on February 18. The company says the greatest period of impact was from February 13 to February 18. During that time, about one in every 3.3 million HTTP requests through Cloudflare resulted in memory leakage. As a result, HTTP cookies, authentication tokens, HTTP POST bodies and other sensitive data was available to hackers.
What does Cloudbleed mean for you?
There’s still a lot of information on Cloudbleed to sift through, but it appears that more than 4 million domains were at risk. An official list of websites affected hasn’t been given yet.
A user on GitHub composed a list of all the sites that use Cloudflare’s DNS servers. The person warns that just because a domain is on the list does not mean the site got compromised. And sites that do not appear on the list could be compromised.
Some of the most notable domains that might have been vulnerable are: Patreon.com, Medium.com, 4chan.com, Yelp.com, Zendesk.com, Uber.com, thePirateBay.org, pastebin.com, petapixel.com, feedly.com and change.org.
Because millions of websites use Cloudflare’s services, you might want to change your passwords for everything. Even if you don’t care if hackers access data from one of the websites affected, they could use that information to access other services.
Cloudflare says the search engine caches have been cleared of any sensitive data. No evidence of malicious exploits as a result of the bug have been discovered. But you should probably still change your passwords just to be safe..