A new security vulnerability has hit the web you should know about. This code error may have caused passwords, messages, cookies and more to leak onto the internet. While there’s reason not to panic, there are steps you should take to protect yourself.
What is it?
Called Cloudbleed (a play on the Heartbleed breach of last year), this vulnerability caused information from certain websites—which may have included private information such as passwords, cookies and authentication tokens—to leak onto the web. All of the affected sites use a company named Cloudflare to improve the performance and security of their website.
A Google researcher, who is part of Google’s Project Zero team of security analysts, discovered the leak and Cloudflare stopped it 44 minutes later (it was fully patched in seven hours). Cloudflare is saying they’re pretty confident the vulnerability was not exploited, but it’s a little hard to know for sure.
What happened?
The error occurred in a just one single character of Cloudflare’s code yet the effects were huge. The slight error meant that passwords, encryption keys, personal information, etc. weren’t always saved securely. Instead, some of that information could have leaked out into the open Internet and then cached by search engines like Google. So what? Cached data is a prime target for hackers.
Adding to the concern, the code error has been around since September of 2016, meaning there is potentially six months’ worth of data out there, but no one knows exactly how much. Still, don’t panic quite yet. While Cloudbeed is certainly troubling, not every piece of information leaked. The leak “peaked” for only six days and might have happened in 0.000003% of internet server requests through Cloudflare.
Which websites?
Right now, reports say that “only” 3,400 websites were potentially infected. This is small, as compared to the Heartbleed vulnerability, but some of the companies Cloudflare works with are big. Uber, Yelp, Fitbit, Medium, Change.org, Nadaq, Bain Capital, OKCupid, ZenDesk and Cisco are all clients, but not all of them may have been hit by Cloudbleed.
Complicating matters, while there may be 3,400 websites directly affected, the number of sites indirectly affected by the bug could be much larger. Some of Cloudflare’s clients have their own customers with their own websites. This means the number of infected sites could be much bigger than it appears on the surface.
Cloudflare says that many of these sites may be old and were simply touched by Google for indexing purposes. Still, the company is working with search engines to delete data stored in any cache.
* Important Note: TDS Telecom DOES NOT have a vendor relationship with Cloudflare client. *
What you should do
The data is out there, and you can’t change that. But what you can do is change your passwords. If you have logins at any of the sites mentioned on this list, we strongly recommend that you change your passwords immediately, as well as monitor the accounts for any signs of suspicious activity. You can also visit doesitusecloudflare.com to enter a site URL and find out if they use Cloudflare (which does not necessarily mean they were affected by the vulnerability, but better safe than sorry).
Also, consider enabling two-factor authentication wherever you can. It adds an extra layer of security by requiring not only your password, but also a second unique code—often sent to a smartphone—to log in to any accounts. PC Magazine has a fairly current list of which popular sites have two-factor authentication and how to set it up.