Update 1: See list of sites below.
Update 2: We received a brief statement from Uber
Very little Uber traffic goes through Cloudflare. Only a handful of tokens were involved and have since been changed. Passwords were not exposed.
Update 3: OKCupid has made a similar statement
Cloudflare alerted us last night of their bug and we’ve been looking into its impact on OkCupid members. Our initial investigation has revealed minimal, if any, exposure. If we determine that any of our users has been impacted we will promptly notify them and take action to protect them.
User data from 3,400 websites has been leaked and cached by search engines as a result of a bug in Cloudflare, a content delivery network. Sites affected over the course of several months include major ones like Uber, Fitbit and dating site OKCupid. 1Password also uses Cloudflare, but says that end-to-end encryption means that no customer data was exposed.
ArsTechnica reports that the leaks were spotted by Google security researcher Tavis Ormandy.
We observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.
Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident …
A Cloudflare blog post acknowledges that the issue was serious, but says there is no evidence of it having been exploited.
The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
Ormandy responded by writing:
[The company’s blog post] contains an excellent postmortem, but severely downplays the risk to customers.
Security researcher Ryan Lackey agrees, saying that while the likelihood of passwords being exposed is low, that risk does exist and that users are advised to change them.
While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet […]
The most sensitive information leaked is authentication information and credentials. A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced. From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords.
Google, Bing, Yahoo and other search engines have been working on clearing cached data from the breach before anyone went public, hence the delayed notification, but ArsTechnica notes that some cached data remains.
This incident underlines the vulnerability of even the most secure services to weaknesses in third-party code. Just yesterday, it was revealed that Apple has cut ties with one of its server suppliers after potential security issues were found in firmware updates. Apple is reportedly working on building its own cloud infrastructure – including servers – to avoid the risk of hardware being compromised either accidentally or deliberately.
Check out our recent guide to password management.
An unofficial list of sites that may be affected has been posted to Github, but note that this includes all domains that use Cloudflare DNS – a much larger number than use the affected services.