Cloudbleed: What Does It Mean and Who’s At Risk?

Experts ExchangeThe Original Technology Community.
The original technology community.

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter that massive stores of data have been leaked by CloudFlare, a company that provides internet security, content delivery, and domain name services to more than 2 million websites, since September. 

Random cyber adversaries have had access to passwords, private messages, API keys, and other sensitive pieces of information from major sites such as FitBit and Uber due to the fact that this leaked information was being cached by search engines.

“In the early hours this morning, Experts Exchange was notified by CloudFlare that our domain was not found in the caches of exposed data during the Cloudbleed situation,” says Phil Phillips, DevOps Director at Experts Exchange.

Specifics of the leak have been laid out in detail by Ormandy on Monorail, an issue tracking site for chromium-related projects, showcasing that the leak was originally discovered by him and reported on February 19th.

CloudFlare stated in their press release that the greatest period of consumer impact occurred between February 13-18 with close to “1 in every 3,300,000 HTTP requests” resulting in a possible memory leak.

To be sure of your company’s security, check out the list of domains affected by this leak. If yours is included on the list, immediately begin repair and mitigation. If yours was not included, our team of experts advises that each individual in your company still proceeds with changing passwords and access codes.

In the days ahead, as companies begin to understand and navigate the level of damage caused by Cloudbleed, Experts Exchange is poised to be the location for handling questions and solutions on the topic. 

For more information on the leak and how to secure your domain moving forward, reach out to our community with questions on processes and best practices; reference protocols established on site during similar past instances, like Heartbleed’s large data leak in 2015; and stay plugged in to provide your expertise in helping other members as they mend and rebuild.
Experts ExchangeThe Original Technology Community.
The original technology community.

Comments (2)

David AtkinTechnical Director
Top Expert 2015

I've used Cloudflare for about a year now.  Fortunately none of my sites where subject to the 'Cloudbleed' bug.

You have to admire CloudFlare's transparency with this issue - It's something that they do well.  The actual CloudFlare write up is far beyond my understanding but from the laymans point of view, it sounds like the response time for the issue and fix was excellent.

Despite the issue I'm happy to continue using their service.
Mihai CorbuleacAzure/AWS consultant

Very transparet, not like Yahoo's recent security breach.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.