Security

Cloudflare admits bug leaked customer data for months

CIO Dive
CIO Dive
3 Min Read
Image

  • Dive Brief:

    • Cloudflare announced Thursday that its edge servers leaked sensitive data — including customer passwords, cookies and authentication tokens — for months, according to a company blog post.
    • Cloudflare chief technology officer John Graham-Cumming said the company’s edge servers “were running past the end of a buffer and returning memory that contained private information,” admitting that the flaw “could have allowed anyone who noticed the error to collect a variety of very personal information that is typically encrypted or obscured.”
    • The content delivery network says the leak, which some are referring to as “Cloudbleed,”  may have been active as early as Sept. 22, 2016, though it was at its most severe between Feb. 13 and Feb. 18. During that time, around one in every 3.3 million HTTP requests to Cloudflare sites may have exposed data. The flaw was reported by a security researcher at Google’s Project Zero.

    Dive Insight:

    Well, it’s time to change your passwords. Again. Cloudflare offers services to more than 5 million websites and has large customers like Uber and OkCupid, so a data leak could potentially be devastating.

    Contents
    Dive Brief:Dive Insight:

    Though Cloudflare moved quickly to fix the problem once it was informed about it, that still leaves a period of about five months when leaked private information could have been intercepted real time or cached by search engines.

    Cloudflare personnel say they don’t believe anyone has taken advantage of the leak. Nevertheless, users of the service may want to change their passwords, to ensure accounts are not compromised. Some Cloudflare customers, like Creative Commons and Change.org, are mandating users reset passwords even if they were not directly impacted.

    “Because our donor data did not touch the Cloudflare service, we do not believe it was ever at risk,” wrote Eric Steuer, director of content and community at Creative Commons. “Additionally, Cloudflare has contacted us directly and informed us that we are not among the sites they know of that were affected by the leak. Despite this, out of an abundance of caution, we are requiring all CCID users to reset their passwords.”

    More Read

    data protection for SMEs

    8 Crucial Tips to Help SMEs Guard Against Data Breaches

    Digital Transformation: How To Protect Your Organization From Cyber Risk
    Social Engineering Attacks and Other Cybersecurity Threats to Be Aware of in 2023
    Cyber Attacks on Small Businesses: Understanding Risks and Prevention
    Vendor Security is Key to Preventing Future Data Breaches

    This post originally appeared on our sister publication, CIO Dive. Our mission is to provide busy professionals like you with a bird’s-eye-view of the Information Technology industry in 60 seconds.

Share This Article

Follow us on Facebook

Latest News

Data Ethics: Safeguarding Privacy and Ensuring Responsible Data Practices
Data Ethics: Safeguarding Privacy and Ensuring Responsible Data Practices
Best Practices Big Data Data Collection Data Management Privacy
data protection for SMEs
8 Crucial Tips to Help SMEs Guard Against Data Breaches
Data Management
How AI is Boosting the Customer Support Game
How AI is Boosting the Customer Support Game
Artificial Intelligence
AI analytics
AI-Based Analytics Are Changing the Future of Credit Cards
Analytics Artificial Intelligence Exclusive

Stay Connected

Lost your password?