Change your passwords! Cloudflare vulnerability may have leaked personal information for months

Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites.

Affected sites include OKCupid, Yelp, Pingdom, Montecito Bank and Trust, Uber, Lyft, Coinbase, Bitpay, Product Hunt, Udemy, Crunchyroll, Fitbit, Hacker News, Stack Overflow, Zendesk, Discord and many many others.

What happened?

. +Tavis Ormandy of Google’s Project Zero uncovered a major vulnerability in the Cloudflare Internet infrastructure service. Essentially, web requests to Cloudflare-backed sites received answers which included random information from other Cloudflare-backed sites! This information could potentially include confidential information (private messages on dating sites, emails), user identity information (Personally Identifying Information (PII), and potentially in a healthcare context, Protected Health Information (PHI), or user, application, or device credentials (passwords, API keys, authentication tokens, etc.).

This was discovered because some of this information was cached in the Google search results! (Google is removing this content, but the damage may be done).

This is now fixed, but the earliest date memory could have leaked is September 22, 2016.

Read the Project Zero report:

Cloudflare Incident Report:

Hacker News discussion:

Quotes from Ryan Lackey's article at Medium:
Shared publiclyView activity