Cloudbleed bug may have exposed your passwords

Cloudbleed bug may have exposed your passwords


Another nasty internet bug may have exposed your data.
Another nasty internet bug may have exposed your data.
Photo: Cloudflare

Get ready to change all your passwords again.

A huge new memory leak from web services company Cloudflare may have left data from thousands of domains exposed, including some very high-profile sites. Cloudflare says it fixed the problem, which was caused by a bug known as Cloudbleed, but not before users’ sensitive data got cached by search engines.

Google security analysts Tavis Ormandy discovered the security flaw. Details on how Cloudbleed got found and fixed can be read in a long blog post by Cloudflare.

Information on the Cloudbleed bug was reported to Cloudflare on February 18. The company says the greatest period of impact was from February 13 to February 18. During that time, about one in every 3.3 million HTTP requests through Cloudflare resulted in memory leakage. As a result, HTTP cookies, authentication tokens, HTTP POST bodies and other sensitive data was available to hackers.

What does Cloudbleed mean for you?

There’s still a lot of information on Cloudbleed to sift through, but it appears that more than 4 million domains were at risk. An official list of websites affected hasn’t been given yet.

A user on GitHub composed a list of all the sites that use Cloudflare’s DNS servers. The person warns that just because a domain is on the list does not mean the site got compromised. And sites that do not appear on the list could be compromised.

Some of the most notable domains that might have been vulnerable are:,,,,,,,,, and

Because millions of websites use Cloudflare’s services, you might want to change your passwords for everything. Even if you don’t care if hackers access data from one of the websites affected, they could use that information to access other services.

Cloudflare says the search engine caches have been cleared of any sensitive data. No evidence of malicious exploits as a result of the bug have been discovered. But you should probably still change your passwords just to be safe.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.