If you have or had accounts on Fitbit, Uber, OkCupid, Medium, or Yelp, you should probably change your passwords. In a blog post published on Thursday, the web performance and security company Cloudflare said it had fixed a critical bug, discovered over the weekend, that had been leaking sensitive information such as website passwords in plain text from September 2016 to February 2017. Over 5.5 million websites use Cloudflare, including Fitbit, Uber, OkCupid, Medium, and Yelp.
Some website sessions accessed through HTTPS, a secure web protocol that encrypts data sent to and from a page, have been compromised as a result, and what makes the bug particularly serious is that some search engines (including Bing, Google, and DuckDuckGo) had cached, or saved, some of the leaked data for some time. This data isn’t easy for a nontechnical person to find, but for someone with knowledge of how to craft specific queries for affected websites’ leaked data on search engines, it was well within their reach.
The vulnerability was first discovered on Feb. 17 by Google Project Zero employee Tavis Ormandy, who, in a blog post, said he found “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings” in the data cached by search engines. Ormandy uploaded screenshots of Fitbit and Uber sessions with sensitive information redacted.
“Uh, should I do something about this?!?!”
The short answer is yes. While the number of leaks is relatively small (about .00003% of HTTP requests, or 1 in every 3,300,000 requests, according to Cloudflare), the extent of the bug, which is being called “Cloudbleed,” is far-reaching. In a Medium blog post, security researcher Ryan Lackey wrote, “The duration and potential breadth of information exposed is huge — Cloudflare has over 2 million websites on its network, and data from any of these is potentially exposed.”
Additionally, hackers may be able to target compromised sites and extract information exposed by the bug.
Make sure you have two-factor authentication enabled everywhere.
Two-factor authentication requires a code sent to your mobile phone, in addition to your password. Here’s a comprehensive list of websites that have two-factor, with links to how to turn it on for every site.
It’s possible that backup codes for two-factor authentication enabled within the past few months were leaked, so disable and re-enable the feature if you’ve turned it on recently and generate new backup codes.
While you’re at it, add a PIN to your phone number account.
Hackers can bypass two-factor authentication by providing your name and last four digits of your social security number to your mobile carrier. It’s easy to add an extra layer of security to your phone number, and here’s how to do it.
And if you are a website admin using Cloudflare on a domain, consider forcing a password change for users.
Lackey wrote, “For any sites processing highly sensitive information through Cloudflare, the lack of a quantifiable maximum exposure probably means it is worth forcing a password update [on] any sites processing.”
Larger sites, who most likely have users who use Cloudflare-hosted sites, should also consider prompting password changes in case users have reused the same password.