Major CloudFlare data leak on millions of Websites – and Apps

CloudFlareNormally, you may find your stolen Email addresses and sometimes even stolen passwords in wrong hands because a certain website has been individually compromised – like happened with Adobe, DropBox or Yahoo recently.

Even though the Yahoo breach with more than 500 million affected user accounts sound like a major breach, a recent CloudFlare data leak has a new dimension.

CloudFlare is a service, used by millions of websites, to improve availability and speed. CloudFlare servers are working between the visitor of a website and the website itself and can be seen as a kind of cache.

What happened was, that since September 22nd 2016 and February the 18th 2017, CloudFlare had a bug which resulted in CloudFlare to respond back to the website visitor with memory contents of the CloudFlare servers instead of the contents of the visited website.

These memory contents often contain sensitive data of other websites such as API Keys, security tokens or even internal server and database passwords. Not only that this data may contain your personal data, even worse, with this information, the effected website and database can be compromised.

Things got worse as this leaked content has already been indexed by Search Engines like Google over the past Months. The issue with this is, that the data is now (still) available to everybody and can easily be found by using special Search terms. Google and other Search Engines are working on deleting such contents but it will be almost impossible to get rid of all leaked data.

Nick Sweeting provides a zipped list of sites (so far, he found more than 4 million sites) that are using CloudFlare which might be affected by this leak.

Not only Websites but also Apps (iOS and Android) such as FitBit and Uber are affected as they also use CloudFlare for data exchange. Data of such Apps have also been found by searching Google.

So what can you do?

Not much to be honest but you can take this as a gentle reminder to:

  • Change passwords frequently
  • Don’t use one and the same password for different services
  • Use fake accounts and fake Email addresses for registration wherever possible
  • Don’t trust the evil

Best regards,

Marcus