Earlier this month, a security bug has leaked usernames and passwords from roughly 3,400 websites, including popular services like Uber, Fitbit, OkCupid, and 1Password. The bug, now being referred to as “CloudBleed”, is found in cybersecurity company Cloudflare’s security suite. It would essentially vomit user information, potentially including usernames, passwords, private messages, chat messages, and hotel bookings, as a string of gibberish code that could be cached by a user’s search engine or displayed on the webpage it is from. A user that knew what he or she was looking at could have potentially used this information to access the leaked account. While 3,400 websites have been confirmed to be leaking information, Google security researcher Tavis Ormandy, who initially identified the flaw, has said that all websites currently using Cloudflare’s security tools are leaking information into the net.
That’s the bad news, but thankfully there is good news. Password management service 1Password’s Jeffery Goldberg has stated that any leaked information would remain safe, as 1Password encrypts all passwords it stores. This essentially renders the string of code leaked by CloudBleed as a completely unintelligible mess to anyone reading it. Uber has claimed that passwords were not exposed due to this bug, and that only a “handful of session tokens” were leaked and have been changed to prevent further leaks. FitBit has said it has been assessing the damage and is taking internal steps to mitigate the problem, but they have declined to say much else. OkCupid’s CEO claims “Our initial investigation has revealed minimal, if any, exposure.” CloudBleed has now been fixed by Cloudflare and any website that regularly updates its security software will be back up to speed by now.
So what should you do about this? Personally, even though Cloudflare and several of the affected websites have claimed that the damage is minimal, I always suggest that end users air on the safe side. While it might be unlikely that anyone who found the leaked info knew what they were looking at, that doesn’t change the fact that personal information was leaked out into the open web. Google researcher Ormandy agrees, and has stated that he thinks it is wise for end users of websites using Cloudflare to change their passwords and verify the security of their data.