Here Are The Passwords You Should Change Immediately

A software bug discovered in Cloudflare, a popular web performance and security company, may have compromised the security of over 5 million websites, including Fitbit, Uber, and OkCupid.

Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc.

The vulnerability was first discovered on Feb. 17 by Google Project Zero employee Tavis Ormandy, who, in a blog post, said he found "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings" in the data cached by search engines. Ormandy uploaded screenshots of Fitbit and Uber sessions with sensitive information redacted.

"Uh, should I do something about this?!?!"

Example of how random the @Cloudflare leak was... @fitbit data was pushed to a website in the Philippines.

The short answer is yes. While the number of leaks is relatively small (about .00003% of HTTP requests, or 1 in every 3,300,000 requests, according to Cloudflare), the extent of the bug, which is being called "Cloudbleed," is far-reaching. In a Medium blog post, security researcher Ryan Lackey wrote, "The duration and potential breadth of information exposed is huge — Cloudflare has over 2 million websites on its network, and data from any of these is potentially exposed."

Additionally, hackers may be able to target compromised sites and extract information exposed by the bug.

Coming out of paternity leave for PSA: If you're on CloudFlare and you or your customers are HIPAA regulated you have a reportable breach.

Does the leak affect you? Check this list of the 4,287,625 possibly affected web domains.

You can also use this website, called Does It Use Cloudflare?.

It might be easier to change all of your passwords as a precaution. You can *never* take your online security too seriously.

Change your passwords, and make them strong.

Lackey suggests using a password manager like 1Password (which uses Cloudflare, but was not compromised) or LastPass to create a long random string for every online account.

Make sure you have two-factor authentication enabled everywhere.

Two-factor authentication requires a code sent to your mobile phone, in addition to your password. Here's a comprehensive list of websites that have two-factor, with links to how to turn it on for every site.

It's possible that backup codes for two-factor authentication enabled within the past few months were leaked, so disable and re-enable the feature if you've turned it on recently and generate new backup codes.

While you’re at it, add a PIN to your phone number account.

Hackers can bypass two-factor authentication by providing your name and last four digits of your social security number to your mobile carrier. It’s easy to add an extra layer of security to your phone number, and here’s how to do it.

And if you are a website admin using Cloudflare on a domain, consider forcing a password change for users.

Lackey wrote, "For any sites processing highly sensitive information through Cloudflare, the lack of a quantifiable maximum exposure probably means it is worth forcing a password update [on] any sites processing."

Larger sites, who most likely have users who use Cloudflare-hosted sites, should also consider prompting password changes in case users have reused the same password.

Skip to footer