Another day, another data leak — though this one might turn out to be a little more monstrous than the rest. Internet infrastructure company Cloudflare has admitted that a bug in its system caused user information to randomly leak across the internet — information that includes cookies, login information, API keys, and more.
The bug, which has been dubbed “Cloudbleed,” was actually first discovered by Travis Ormandy, a Google Project Zero vulnerability researcher, on February 17. It was revealed, however, that the data breach may have begun as far back as September 22. In some instances, the Cloudflare platform randomly injected user data from any of the company’s 6 million customers — which include the likes of Fitbit and Uber.
According to Cloudflare, most of the information wasn’t leaked on high-traffic websites, and even the information that was leaked to high-traffic websites was hard to find. Still, as the service was leaking information all over the web, that information was being recorded in the caches of search engines like Google, making it easier for those with potentially malicious intent to find it and use it.
Thankfully, it seems as though Cloudflare has acted quickly in an attempt to remedy the situation. A preliminary fix was pushed less than an hour after it learned of the issue, and it was permanently patched in under seven hours — exactly the type of response that would be expected from a large internet company like Cloudflare. In the cleanup, the company says that 3,000 customers in total were triggering the bug while it was active.
“The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under seven hours with an initial mitigation in 47 minutes,” said the company in a blog post.
While cleanup was quick, it’s recommended that to mitigate risk you should change your passwords. Yep, all of them — although pay special attention to things like online banking and other highly sensitive services. The Cloudbleed bug could have exposed anything, and unfortunately you may not know that your information was leaked until it’s too late.