What Exactly Happened?
Over the past 24-hours, you may have seen a series of articles asking if you should be worried about Cloudbleed, a massive new online security bug discovered on February 24. We’ll cut to the chase: Yeah, you probably should be worried.
Before we sound the alarms, let’s go over what exactly Cloudbleed is. On Friday, Tavis Ormandy of Google’s Project Zero found a vulnerability in Cloudflare, one of the world’s leading internet security companies.
The bug apparently resulted in Cloudflare-backed websites leaking data for months – as far back as September 2016.
The code has now been fixed, but Cloudflare’s clients include huge companies like Uber, OKCupid, ZenDesk, Bain Capital and FitBit, meaning your sensitive data from any of those companies or a long list of others could have been compromised.
The name Cloudbleed was inspired by the 2014 security bug Heartbleed, another massive security bug that affected up to 500,000 websites. This time around, while only 3,400 websites are believed to have the Cloudbleed bug.
However, many of those sites leaked private data that came from other Cloudflare clients, so the actual number of sites with compromised data could be much higher.
The Cloudbleed bug is no longer active – it was stopped within just 44 minutes of finding out about it and completely solved within 7 hours – but there is no way to get back all the data that may have been leaked.
But I Don’t Use Cloudflare…
Even though the name Cloudflare may not be familiar, chances are a website you frequent uses their service for security online. However, Cloudflare says that during the peak of Cloudbleed about “1 in every 3,300,000 HTTP requests through Cloudflare” potentially resulted in memory leakage, which is about 0.00003% of requests. The data leaked could have been passwords and usernames, private photos or videos, or behind-the-scenes things like server information.
Cleaning up the bleed
Here’s the thing with Cloudbleed – as far as we know, it’s over. You can use this easy search engine to see if services you use rely on Cloudflare and promptly change your passwords, but nothing you can do now will reverse the leaked data.
[clickToTweet tweet=”Don’t jump ship on all sites that use Cloudflare but you should change your passwords regularly.” quote=”You should not jump ship on all websites that use Cloudflare for security, and instead should just get more used to changing your passwords regularly.”]
Using two-step verification when offered is a good idea, too.
For now, the biggest significance of Cloudbleed is that it reminds us that services like Cloudflare do provide stronger, more secure protections than the average company would probably implement on their own, but that convenience also leads to a new series of risks. Maybe this is a massive understatement, but the saying “No use crying over spilled milk” seems especially relevant here. When you spill milk, you clean it up, but there isn’t much more you can do.