Cloudflare Security Breach Exposes Data From 3400 Websites Including, Fitbit & Uber

User data from 3,400 websites has been leaked and cached by search engines as a result of a bug in the Cloudflare content delivery network. The goal of a content delivery network is to serve content to end-users with high availability and high performance.But instead, this one leaked data and the leaks were spotted by Google security researcher Tavis Ormandy who has a habit of spotting this sort of thing. A Cloudflare blog post acknowledges that the issue was serious, but says there is no evidence of it having been exploited:

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

But Cloudflare’s response was quickly smacked down by Ormandy:

[The company’s blog post] contains an excellent postmortem, but severely downplays the risk to customers.

An unofficial list of sites that may be affected has been posted to Github and it includes sites like Fitbit and Uber, but note that this includes all domains that use Cloudflare DNS. That means that this is a much larger number than use the affected services. In the meantime Google, Bing, Yahoo and other search engines have been working on clearing cached data from the breach before anyone went public. But that doesn’t mean that nothing leaked out as this issue likely existed for months before being patched.



One Response to “Cloudflare Security Breach Exposes Data From 3400 Websites Including, Fitbit & Uber”

  1. […] is related to the Cloudflare disclosure of leaked data. It is not clear if Cineplex is a Cloudflare customer, but the timing is […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: