What You Need to Do About the Massive Cloudflare Data Leak


This story is over 5 years old.


What You Need to Do About the Massive Cloudflare Data Leak

Millions of websites may have been affected by Cloudbleed. Here’s what you should do to keep your accounts safe.

On Thursday, Google's Project Zero disclosed a serious security issue, now known as Cloudbleed, with popular internet infrastructure service Cloudflare. In short, Cloudflare-protected websites and services—including Uber, dating site OkCupid, and Fitbit—have inadvertently been leaking sensitive user data, potentially including passwords and private messages.

Read more: The Motherboard Guide to Not Getting Hacked


This isn't the fault of the sites themselves, but the way Cloudflare parsed HTML pages. The leaked data was then archived by search engines, as web pages and data are. Google and Cloudflare have worked to remove much of the exposed data, but some examples may remain.

So what do you actually need to do in light of this?

Check which sites use Cloudflare

Cloudflare is big. Really big. According to one very rough estimate, over 4 million domains use Cloudflare (although that includes ones that use other Cloudflare services, and not just the product that this security issue affected).

You can go through that list, and see which sites you've signed up to in the past. Notable sites include Coinbase, server company DigitalOcean, Patreon, 23andme, and so on. Or, you can check the website doesitusecloudflare.com. Just punch in some of the services you use.

If they do run Cloudflare, well…

Change your password on those sites

It's unclear whether your data in particular was exposed, but you should probably change your password as a precaution anyway—sites have been leaking data for some time, some of it was archived in search engines, and data may have been stored in other services too.

Indeed, "unless it can be shown conclusively that your data was NOT compromised, it would be prudent to act as if it were," security researcher and former Cloudflare employee Ryan Lackey wrote in a Medium post on Thursday. (Lackey recommends changing all of your passwords, rather than checking if a particular service uses Cloudflare or not, but that may be too much of a time investment for some).

Use a password manager

Changing your passwords may be a pain, but this is also a good excuse, if you haven't already, to get setup with a password manager. This bit of software will generate unique passwords for you, and take on the responsibility of remembering them. All you need to do, is memorize the one, master password that unlocks them all.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.