Another Day, Another Data Breach: Cloudflare Experiences Massive Memory Leak
The web services and security company's leak may have exposed user data for thousands of sites
It's time to change your passwords again.
A huge memory leak from Cloudflare, a web services and security company, might have exposed user data for thousands of websites that use its service.
The leak has been dubbed "Cloudbleed," a reference to 2014's Heartbleed bug. Relatively little is known about the impact the leak will have, but what is known is particularly concerning: some of the leaks—which may have included user information—was cacheable by search engines. Once a search engine indexed it, cybercriminals might have collected and stored the data.
Cloudflare says that "the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage."
No official list of impacted sites has been made available yet, but many services are requesting that their users change their passwords anyway. The company has admitted that more than 1,000 domains have been compromised.
One noteable company that may have been compromised is Authy.com, which prevents unauthorized access to users' devices and apps by verifying the user with a second factor connected to the device. For example, a financial website may require the user to enter both their account password (the first factor) and a seven-digit authentication code (the second factor) generated by the Authy app before it will let the user log into their account.
Authy issued this statement: "To the best of Cloudflare's knowledge, Authy data was not discovered in any known cache but we are treating as if we are impacted. We are taking steps now, emailing customers with more detail & will publish a blog post soon."
Cloudflare notes that it has "not discovered any evidence of malicious exploits of the bug."