BREACH MEANS IT’S TIME TO CHANGE PASSWORDS – AGAIN
Security firm Cloudflare disclosed late Thursday that a long-running bug in its security systems may have leaked information, including potentially personal information, from thousands of sites, including Uber, Fitbit and OK Cupid.
The problem was first uncovered by Google security expert Tavis Ormandy, who let Cloudflare know about the issue Feb. 18. But the service had been leaking information for months in a way that allowed search engines to pick it up, according to Cloudflare.
The issue is only known to have affected a small portion of the 5.5 million sites that Cloudflare services. Cloudflare did not release a list of affected sites.
Because there’s so little information about the sites and Cloudflare services are widely used, it’s a good idea to change your passwords on any site in a “better safe than sorry” sort of way.
Computer science professor Matthew Green compares the situation to a food recall.
“It’s probably not going to affect you, but it’s hard to say,” said Green, who works at Johns Hopkins University. “Maybe you find that a few containers of yogurt have some added bacteria. Probably, you can go eat yogurt. But would you want to?”
Cloudflare posted a technical explanation of the problem to its blog. Essentially, the company was changing over from older code to newer code. Running both at the same time created an unforeseen issue that, when combined with some other features that Cloudflare offers, caused a data leak.
Cloudflare said it has fixed the problem and is working to get the pages with personal information taken off the search engines.
For what it’s worth, however, Cloudflare has said it hasn’t heard of any personal information from this leak being used in a malicious way. But as other security experts have said in blog posts and other commentary on the leak, there’s really no way to prove that.