What Does the Cloudflare Bug Mean for Users?

The ITRC tracks record-setting numbers of hacking events and data breaches every year, and many of them make major news headlines. Sometimes, though, the root cause of a massive breach isn’t nefarious cybercriminals, but just a flaw in the software.

Cloudflare experienced a potential data breach last week that appears to be the result of a bug in its software. The bug has actually been in place for years and went undetected, but recent changes to the company’s software “activated” the bug, making it possible for data to be leaked directly online.

What is Cloudflare? Ironically, it’s a company that provides web protection services to a number of major websites, including Uber, Yelp, Medium, and many, many more. A longer list of those websites that relied on Cloudflare to prevent DDoS attacks, among other things, was published by Gizmodo, but that list is not comprehensive. There are also many other sites like TunnelBear and Crunchyroll that use Cloudflare for some services, but not the kind that was affected by this bug; therefore, several of those websites have already begun informing customers that their user data is safe.

The kind of bug that caused this problem basically allowed information to leak out once the buffering was completed. It rerouted the information back to the search engine, meaning no one should have found your data, but they could have. Now that the leak has been widely publicized, there’s a good chance data miners will go hunting for it.

The leaked information typically included email addresses or usernames, along with passwords. If you’re one of the many people who’ve fallen into the bad habit of reusing your password on multiple websites, you may be at risk of having other accounts compromised. Cloudflare is encouraging users to change their passwords immediately on any of the sites they served, but changing your password on any other site that reuses a Cloudflare-protected password is also a good idea. From there, you need to monitor your online accounts for any signs of unauthorized activity.