February 27, 2017

Change your passwords if you’re using any of these sites

Change your passwords. This is not a drill.

Cloudflare, one of the world’s largest internet security companies, recently had a massive data leak of unknown proportions that includes passwords, personal information, messages, cookies, and others in what is considered an internet security disaster that has been since named “Cloudbleed”.

Inside Image_cloudflare

A tiny bug in Cloudflare’s code is to blame for compromising user data for thousands of sites. Security researcher Tavis Ormandy of Google’s Project Zero was able to identify the bug and acted immediately to fix the code, but the discovery came too late as the Cloudflare-backed website has been leaking data before the discovery.

It will take time before we know the full extent of this data breach, but so far it has included a wide range of data from API keys to private messages

According to the security company, the earliest data leak goes back to September 2016, then adds that “the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.”

No one is sure if criminal elements have already found the bug and exploited the data leak before Cloudflare was able to fix the issue. Websites backed by Cloudflare include OKCupid, 1Password, FitBit, and Uber. It will take time before we know the full extent of this data breach, but so far it has included a wide range of data from API keys to private messages, so it’s better to change your password now before you regret it later.

On Cloudflare

Cloudflare is a web performance and security company who originally made an app for tracking down spam sources, which then evolved into a company that offers a wide range of products and web services, including performance-based services (like content delivery service), reliability-focused services like domain name server (DNS) services, and security, like direct denial of service (DDoS) attack protection.

The data leak all boiled down to a tiny detail in Cloudflare’s code: having “==” instead of “>=” in a string of code. Instead of giving you all the details in how it all went wrong, this is how it went down in simple terms: Cloudware’s software tried to save user data in the right place, and then it became full so it started storing data on a completely different website. Since the data was cached by other sites like Google, Cloudflare has to search for the location of these data leaks before criminal elements find them.

Inside Image_http

“Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites,” entrepreneur and security expert Ryan Lackey wrote in a blog post. “Users should also log out and log in to their mobile applications after this update.”

Listed below are just a few of the notable sites believed to be at risk:

  • authy.com
  • patreon.com
  • medium.com
  • 4chan.org
  • yelp.com
  • zendesk.com
  • uber.com
  • thepiratebay.org
  • pastebin.com
  • discordapp.com
  • change.org
  • feedly.com
  • hardsextube.com
  • nationalreview.com
  • petapixel.com
  • puu.sh
  • putlocker.ws
  • tineye.com

For a more extensive list of websites affected by the hack, you can go to https://github.com/pirate/sites-using-cloudflare.