Cloudflare, which provides SSL encryption and optimization services for millions of websites, has announced that sensitive personal data including cookies, API keys, and passwords have been leaked due to a coding bug. Messages from dating sites were also found in the data. The firm reported that it does not believe that the information leaked has been used for malicious ends; however, the leak had the potential to cause numerous issues since searched engines have cached the data, meaning that the sensitive information could have been found via search before the leak was discovered. Cloudflare reportedly delayed the announcement in order to allow search engines to scrub the caches before the public could try to access the data.
Google’s Project Zero security initiative was the first to discover the leak on February 18th but believes that the leak may have been active as early as last September. The data had “escaped” Cloudfare’s encryption due to a coding error, which caused one in every three million HTTP requests to leak memory. Thus, every time a website using Cloudflare software was accessed there was a danger of leaking information. Given the number of sites Cloudflare operates, this number adds up.
A variety of websites were affected by the bug. Dating sites such as OkCupid were among the most affected due to the nature of the information released, but the list includes other websites such as Patreon, a website that collects donations for content creators, and Uber.com.
Experts recommend that users of these websites change their passwords if they used these websites and, given how pervasive Cloudflare is, all Internet users should consider changing their passwords anyway.