San Francisco firm spills internet users’ data in massive leak

San Francisco internet-services firm Cloudflare has been leaking internet users’ personal data out into the digital world, possibly for months.

Potentially affected? Just about everyone who uses the internet.

That’s because the bug caused personal information held by some of Cloudflare’s website clients to bleed into websites of other clients. And Cloudflare has millions of clients.

“The examples we’re finding are so bad,” Google security researcher Tavis Ormandy, who discovered the leak Feb. 18 and notified Cloudflare, wrote in an advisory. “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.”

Leaked information might include passwords, hotel booking information that could contain credit card data, highly personal dating site messages and more, said Adam Levin, founder of identity-protection firm CyberScout and author of the book Swiped.

Tech website Gizmodo reported that Uber is also a customer of Cloudflare. Security researchers probing the leak have been documenting their findings on YCombinator’s Hacker News forum. One person said Uber data had been leaked, including location information. An Uber spokeswoman said only a “small fraction” of the company’s internet traffic goes through Cloudflare, “and the impact was limited to a handful of session tokens, which have already been changed.”

Cloudflare’s bug has already been nicknamed “Cloudbleed” for similarities to the “Heartbleed” bug discovered in 2014 that compromised internet security.

The Cloudflare bug had been operational since September but the period of worst impact was Feb. 13 to Feb. 18, when one in every 3.3 million website connections processed by Cloudflare were subject to leakage, Cloudflare said. “Because Cloudflare serves billions of pages each day, the number of leaky pages added up to about 120,000 a day,” the Wall Street Journal reported (paywall).

Cloudflare provides optimization and security services to websites; internet users’ connections to its clients’ sites go through Cloudflare’s cloud servers.

The biggest question, said Levin, is whether criminals in the business of scouring the web for information useful for identity theft found data leaked via Cloudflare.

“The problem is, you don’t know,” Levin said. “There are people out there that look for this stuff every minute of every day.

“It may be nothing in the sense that nobody ends up getting harmed because nobody saw (the data) before the bug hunter found it, but a lot of people might’ve seen it before the bug hunter found it.”

Leaked passwords, if they can be unscrambled, are precious treasure for identity thieves because many people use the same password across multiple internet accounts, Levin said. “The people who have them will use them to run against a number of different websites to see if they can get in,” he said.

Any data found by bad actors via the Cloudflare leak could be combined with personal information gained via other leaks and data breaches such as those famously suffered by Yahoo that affected more than a billion user accounts, Levin said. With sufficient data, criminals can impersonate a particular person, or gain access to their online accounts, he said.

Cloudflare’s head of information security, Marc Rogers, said the firm doesn’t know how many internet users may be at risk of having leaked personal data fall into the hands of the ill-intentioned. But the company believes the risk is very low, Rogers said.

While affected websites were being scrubbed of data leaked onto their pages, all the major search engine companies were putting significant resources into finding leaked data that had been preserved in cached web pages, Rogers said.

Rogers said Cloudflare has come across nothing resembling what Google’s Ormandy said he’d found. “By and large the majority of what we see is web page fragments and web page headers. It looks like gobbledygook,” he said. “The amount of actual harmful usable data is very small.”

He’s heard of only one leaked password being discovered, he said. “We’ve seen a very small amount of location information,” Rogers said.

He estimated that 80 percent to 90 percent of the leaked information has now been removed from potential public view.

“We’re essentially going to stick to our guns and keep at this until we’ve remediated all of the data that’s out there,” Rogers said.

Concerned internet users may want to change the passwords they use, and refresh any open sessions on internet-based accounts, he said.

Levin warned that the leak, plus the constant web hacking that goes on these days, mean internet users should take further precautions.

Passwords should be “long and strong” and never used across multiple accounts; two-factor authentication should be used for account access; and people should check with their employers, insurance companies and financial-services reps to see whether identity-protection services may be available to them, Levin said.

Dating site OkCupid, a client of Cloudflare, found “minimal, if any, exposure” of customers’ data, the Wall Street Journal reported.

AgileBits, which makes password-security software and is another Cloudflare client, told the Journal that users of its password software weren’t at risk because AgileBits uses multiple encryption layers.


Photo: Internet use (AP Photo/Damian Dovarganes, File)


Tags: , , , ,


Share this Post

  • I’ve earned 104 thousand dollars previous year by doing an online job and I did it by work­ing part-time f­­o­­r 3+ h on daily basis. I’m using a business opportunity I came across online and I am thrilled that i was able to make so much money on the side. It’s so beginner friendly a­n­d I’m just so blessed that i discovered this. Here’s what I did…