Internet Data Leak Exposed Involving Cloudflare

The good news and the bad news: Cloudflare, an internet infrastructure security and performance company providing its services to millions of websites, revealed on Thursday, February 23, 2017, that a bug in their system caused a memory leak.

The Good News About Cloudflare’s Cybersecurity Leak

While it may be hard to find anything positive about a cybersecurity leak from a company as large as Cloudflare who provides its security and performance services to about six million websites, there is a silver lining in this cloud. The leakage of information from the websites involved a bug in Cloudflare’s coding rather than a successful hacking of customer-sensitive information. Bits and pieces of information such including cookies, messages, passwords, personal info and more were divulged through the data leak found their way to search engines and websites.

In its announcement of the data leak on February 23, 2017, Cloudflare thanked Google’s Project Zero team for notifying Cloudflare of the issue once Google’s team became aware of it on February 17, 2017. The announcement detailed the corrective action Cloudflare took to fix the coding bug, explaining “we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.”

Some of the leaked data would be unusable to would-be criminals due to security protections in use by some of the sites using Cloudflare.

The Bad News About Cloudflare’s Cybersecurity Leak

It appears that the data leakage began to be an issue in September 2016, with Cloudflare determining that the period of greatest leakage occurred between February 13 through February 18, 2017, with one in every 3,300,000 HTTP requests through the company potentially leaking sensitive information.

And while Cloudflare worked with all of the major search engines to clear leaked data from their records, cybersecurity experts outside the company remain concerned that overseas search engines may still have the leaked data in their systems.

To Change or Not Change Your Passwords, That Is the Question

While many cybersecurity experts are advising internet users to change their passwords in light of Cloudflare’s data leakage, not knowing what sensitive information may still be available in the public domain, Joseph Steinberg, a cybersecurity expert himself, has advised against it, unless Cloudflare itself, or one of the sites whose data was leaked, tells you to do so.

Steinberg listed several reasons why it may neither be necessary nor prudent to change passwords in light of the Cloudflare data leak. At this point, it is not apparent that criminals knew of the leaked data to exploit it, even if they could have accessed enough leaked data to be useful without triggering DDoS protections at Cloudflare.

Steinberg likens the need for a password change due to the data leakage to the decision a homeowner would need to make if s/he left the house key in the door overnight: Do you change all your locks because there is a chance a criminal saw the key in the door and copied it or do you wait to find out that an undesirable person stole your house key?

Share with your friends

Follow Us

Enter your email address to get updated when we have new posts on the site and never miss a thing:

Delivered by FeedBurner

Leave a Reply

Your email address will not be published. Required fields are marked *