It’s a rough day for users of, well, basically the entire internet: A major vulnerability in a huge web services company has been disclosed, and it means your personal data may have leaked into public view from a whole lot of places.
The problem is with California-based Cloudflare, which provides internet security, reverse proxy, content delivery, and domain name server services, among other things. Basically, businesses like Cloudflare are a large part of what make websites, and your ability to connect to them when you want, work.
Some in the tech world are calling the bug Cloudbleed, in reference to the massive Heartbleed security flaw discovered in 2014.
Cloudflare shared the details in a blog post. They’re very technical, if you’re so inclined.
If you’re not so inclined, the important part is this: There was a bug on some servers that let some data leak out when certain websites made the connections they need to make in order for the internet to work the way you see it do.
The data may have been leaking since Sept. 22 last year, but the greatest period of impact, Cloudflare says, was from Feb. 13 to Feb. 18 — last week, basically.
Google, and other search sites, had managed to cache — collect and hold — some of the leaked data through their normal internet-crawling processes. Cloudflare waited until that leaked data had been cleared out before making the issue public.
With assistance from Google, Bing, Yahoo, and others, Cloudflare found that data from at least 161 domains had been leaked and cached.
A tool, aptly named Does It Use CloudFlare, indicates that many biggies — among them Facebook, Google, Amazon, and Twitter — are not affected by this bug. That part is the good news. (For the record: Consumerist does not use Cloudflare.)
Here’s the bad: More than 5.5 million websites in some way use Cloudflare services. A GitHub user has compiled an unofficial list of affected sites, which includes well-known names like Yelp, OK Cupid, Uber, Medium, Fitbit, Patreon, Y Combinator, Feedly, and many, many more.
The general advice from internet security experts? Now is just a really great time to go “rotate” your passwords. As in, change ’em all.
As ever, it’s always a good idea to use a password manager if you can (a couple do use Cloudflare, but were not affected by this bug) and two enable two-factor authentication of some kind of basically all your accounts.
by Kate Cox via Consumerist