Why the ‘Cloudbleed’ Data Leak Flaw Posed a Major Threat to Websites

Cloudflare has patched critical security flaws that could have allowed leaks of data from thousands of websites over a six-month period. Cloudflare and security researchers are still watching to see if any leaked data has been exploited.

Cloudlflare is a prominent internet infrastructure company that provides a host of services to websites, including load-balance optimization and security. It also provides website performance data. Cloudflare works behind the scenes in a lot of prominent websites.

Cloudflare said in a Feb. 23 statement that user information to thousands of websites, including passwords, leaked over a six-month period. Its edge servers, it said, malfunctioned and returned memory that contained private user information, some of which could have been crawled and cached by search engines.

The full list of affected sites hasn’t been publicly disclosed, but some companies have said they might have been affected. As of this writing, Uber has confirmed it was a Cloudbleed victim. Fitbit also was affected. Other impacted sites could emerge.

Knowing how many users were affected by Cloudbleed is difficult. Cloudflare provides its solutions to sites that work with millions of internet users. Most security experts believe a chunk of those folks were subject to it.

According to Cloudflare, after it learned of the problem, it discovered three features might have been at the center of the leak and shut them down: email obfuscation, server-side excludes and automatic HTTPS rewrites.

Cloudflare moved quickly to address Cloudbleed. The company said it turned off the affected services within 47 minutes of discovering the flaw and fixed the leak fully in less than seven hours.

In addition to addressing Cloudbleed, Cloudflare analyzed the scope of the leak. It found that although search engines including Google had cached its data, there had been no malicious activity surrounding it. The cached data was purged wherever it was found.

Although malicious hackers hadn’t taken advantage of the leak, it’s still a good idea to change your website passwords immediately. It’s the first line of defense against any malicious hacker who might somehow cull data from Cloudbleed.

Unfortunately, beyond changing passwords, there isn’t much users can do about Cloudbleed. The damage has already been done—the information was leaked and there is no way to change that. Users should remain vigilant and be on the lookout for any odd account behavior.

Looking ahead, things could get worse before they become better. The investigation into Cloudbleed and its reach has just begun. The leak appears to have been plugged, but more companies are expected to join the list of affected Cloudflare customers.