Have you heard? A tiny bug in Cloudflare’s code has led an unknown quantity of data—including passwords, personal information, messages, cookies, and more—to leak all over the internet. If you haven’t heard of the so-called Cloudbleed vulnerability, keep reading. This is a scary big deal.
Let’s start with the good news. Cloudflare, one of the world’s largest internet security companies, acted fast when security researcher Tavis Ormandy of Google’s Project Zero identified the vulnerability.
The bad news is that the Cloudflare-backed websites had been leaking data for months before Ormandy noticed the bug. Cloudflare says the earliest data leak dates back to September 2016. It’s so far unclear if blackhat hackers had already found the vulnerability and exploited it secretly before Cloudflare fixed its code. Cloudflare’s clients include huge companies like Uber, OKCupid, 1Password (Update: 1Password claims its user data is safe), and FitBit. That means a holy fuck ton of sensitive data has potentially been compromised.