Change Your Passwords. Now.

PublishedFebruary 24, 2017

We may earn a commission from links on this page.

A massive memory leak from web services and security company Cloudflare may have exposed user data for thousands of sites. In other words: it’s time to change your passwords.

Watch

Twitter Is Shifting Right | Future Tech

view video

Twitter Is Shifting Right | Future Tech

Bert Kreischer’s Secret Twitter Handle Was Ridiculous | Gizmodo Quiz

Wednesday 10:20AM

Sean Gunn’s Favorite Songs From the Guardians Series

Wednesday 9:35AM

There’s lots left to discover about the impact of the leakage—which is being called Cloudbleed, similar to the Heartbleed bug back in 2014. What we do know that makes this so worrisome is that some of the memory leaks, which may have included user data, was able to be cached by search engines. Once indexed, nefarious types may have scraped and stored that data.

Cloudbleed was discovered by Tavis Ormandy of Google’s security analysist team Project Zero on February 18th. How it was found and patched, and what exactly was causing these leaks is exhaustively detailed by Cloudflare in a blog post. According to Cloudflare, “the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.”

So far there is no official list of affected sites, though many services are asking users to change their passwords regardless. A Github user has posted a list of sites they believe have been compromised, along with the caveat that “just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.” According to this user—who scraped a variety of sites—up to 4,287,625 may be at risk. Cloudflare itself admitted to over 1,000 compromised domains.

Worryingly, Authy makes the list—meaning even accounts protected by 2-factor authentication may still be at risk (and requiring a password change.) “We have also not discovered any evidence of malicious exploits of the bug,” the Cloudflare post notes, though that seems a lot like something a company which was just implicated in a gigantic leak would say.

Below are some of the notable sites believed to be at risk. You can read them now, but we’d really recommend changing your passwords first.

authy.com
patreon.com
medium.com
4chan.org
yelp.com
zendesk.com
uber.com
thepiratebay.org
pastebin.com
discordapp.com
change.org
feedly.com
hardsextube.com
nationalreview.com
petapixel.com
puu.sh
putlocker.ws
tineye.com

Update 2/24/17 2:56pm EST: A representative from Crunchyroll told Gizmodo “we do not use any of the services associated with the leaks. All Crunchyroll user data remains safe.” It’s been removed from the list of sites, which we’ll continue to update as information becomes available.