Cloudbleed: What you need to know and what you need to do

On February 17, 2017, vulnerability researcher from Google's Project Zero Tavis Ormandy stumbled across what looked like a really nasty data leak from Cloudflare, a web performance and security company. He quickly contacted the "right" people at Cloudflare and the situation was addressed in less than an hour.

Any data breach can be significant. Especially when a service has over one billion users. We'll direct you to the Cloudflare incident report for the full details of what happened (warning: it's pretty technical). In layman's terms, data was leaked that was potentially sensitive. This data was available to anyone, even web spiders used by search engines. SSL keys were not leaked.

The Cloudflare features that used the affected HTML parser (email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites) were in use by a lot of companies. Most likely companies that you have online accounts with. This means your data may have been exposed.

Mobile Nations, which operates Windows Central, uses some of Cloudflare's services. In fact, you'll find us on the list floating around of sites potentially affected. We have verified that the affected services aren't in use nor have ever been used on any Mobile Nations sites.

See more

We also received notice from Cloudflare about the leak and they had this to say:

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

Look for a similar statement from other places you have an account with for information about your data that may have been exposed.

What should you do?

Enpass

Enpass

Like most big security instances, we'll never know the full details of what was and wasn't leaked out. We can confirm that we aren't using the services that were mentioned as vulnerable, but we don't know how anything else on Cloudflare's servers might have been affected. Every Cloudflare customer is in the same boat.

That means it's time for you to get proactive.

Change the passwords for all of your online accounts

Yes, this sucks, but know what sucks more? Having someone get your details and have access to stuff you don't want them to have access to. Use a password manager and let it make crazy passwords and remember them for you if you don't have your own password management routine. If you haven't used a password manager in the past but wanted to check one out, now is a perfect time.

More: Best password managers for Windows

Now is also a good time to remember that you should be changing your passwords regularly, which makes a password manager a must if you have a lot of accounts.

Enable two-factor authentication on every account possible

If you have two-factor authentication enabled, someone else with your login details still won't be able to access your account. Two-factor authentication can also be a pain in the butt sometimes, but it's the best way to protect yourself when a big data breach happens, like the one we're seeing now.

Here are some resources on two-factor authentication.

Nothing we can do will prevent these kinds of data leaks. The important thing is what we can do to protect ourselves when they happen.

Jerry Hildenbrand

I'm an RHCE and Electrical Engineer who loves gadgets of all kinds. You'll find my writings across Mobile Nations and you can hit me on Twitter if you want to say hey.

12 Comments
  • Speaking of password managers, LastPass password syncing across devices is now available in the free version.
  • I don’t get why we must change pwds for every single acct we have, no way I’m doing that, I have 700-odd. I see nowhere in the article, that clearly articulates why this is necessary, admittedly I did skim read.
  • It is mentioned in the article lol - second line or so under why you should change your passwords...
  • ...second line or so under why you should change your passwords...
    There is no heading called "Why you should change your passwords"? Cheers.
  • Another advantage of a password manager is that you can go through the list one by one if you need to and reset everything. Rather than keeping a list mentally or elsewhere in OneNote or a Word Doc
  • Lord, nit that Tavis dill-hole. It has been pointed out so many times, if he was doing this for the good, he wouldn't be making public announcements of these issues. Just a **** stirrer in sheep's clothing.
  • Would you rather have security researchers not tell the public when there's a security breach so that people wouldn't know to change their passwords? Especially considering this one has already been patched.
  • I'd rather he work with them instead of immediately announcing to everyone, including the bad guys, that there is an issue. He might want to start with many of the Google services with issues and all the holes in Android. I dont see him going public with that mess.
  • On February 17, he contacted Cloudflare and they fixed it under a hour, which means this can't be exploited anymore in the way the security researcher discovered the flaw.
  • Thanks for the info. Have a glorious evening.
  • anyone else notice that the article about the new forums used android devices for all images? their excuse was that it was a 'generic' article for all of the MN sites. HOWEVER...in THIS article, they use a WP and PC, but on the AC site, they are using a Android phone, even though the information is basically the same.
  • Newsflash: even Microsoft doesn't use Windows phones!