Cloud Bleed

In February, a major security bug was found to have affected over 3,400 websites, including popular services like Uber, FitBit, and OkCupid. Usernames and passwords were leaked onto the Internet, mostly in cached pages from corrupted sites. The bug had been leaking sensitive information since September, according to an article in CNET.

The problem was discovered by Google security researcher Tavis Ormandy, who noticed the bug in a widely used tool provided by Cloudflare that was meant to help manage and protect internet traffic. He nicknamed the bug “Cloudbleed” after the bug “Heartbleed,” another major breach in mobile security that was exposed in 2014.

According to Ormandy, the security breach included other sensitive information besides exposed emails and passwords, such as "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings," according to his report.

Cloudflare immediately responded to fix the security breach. John Graham-Cumming, Cloudfare’s chief technical officer wrote in a blog post: “Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with…The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.”

After fixing the flaw, Cloudflare worked with search engines including Google and Bing to purge cached records of the corrupted web pages.

While Cloudfare confirmed that 3,400 websites had leaked information, Ormandy argued it was likely much more, since data was leaking from all of Cloudflare’s customers, a significantly higher number. Ormandy claimed Cloudfare was downplaying the potential damage caused by the bug.

Companies affected have responded to customer concerns, too. Uber claimed that no passwords for its service were exposed and that “only a handful of session tokens” were affected, according to CNET. FitBit has encouraged its users to change their passwords and provided a guide outlining how they can protect themselves going forward. OkCupid told CNET that their “initial investigation has revealed minimal, if any, exposure.”

Cummings advised users of websites who employ Cloudfare to change their passwords to be safe. He also advised the affected companies should take precautions by making changes going forward to secure their information, as their security tools were also exposed.