On Thursday, news emerged about a bug that has potentially exposed sensitive user and security data from millions of sites using CloudFlare, a web routing and security service. While the problem is now fixed, data was leaking for several months, and some of that data will remain in the wild, possibly indefinitely.
This is not a database hack of the sort infamously suffered by Yahoo!. The bits of compromised data are scattered in html code that has been served from millions of addresses across the web. To exploit it, malicious hackers would have to scrape and organize it. And experts say there’s a low likelihood that any single password or piece of data was compromised.
Get Data Sheet, Coins2Day ’s technology newsletter.
But scraping archives for passwords is not a terribly daunting task. And while Google is reportedly working to scrub its own archives, the data will likely continue floating around in a variety of other public and private caches. That, plus the huge scope and scale of the problem, means that security-conscious web users should reset their passwords—all of them.
Millions of sites using CloudFlare services were potentially affected by the problem, from Medium.com to Change.org to 4Chan. So many sites were vulnerable that it doesn’t make sense to review the list and change passwords on a case-by-case basis.
Of course, resetting passwords en masse will be a huge headache for most users, particularly because many of us have accounts, possibly containing sensitive information, that we don’t use regularly, and may even have forgotten about. That’s why some owners of sites that may have been exposed to the bug, such as the tech news site TechDirt, are proactively resetting user’s passwords for them.
Operators are also being advised to wipe their sites’ cookies and security certificates, and perform their own web searches to see if site data leaked.
Some services do have extra authentication to protect against data breaches. The password manager 1Password says that its product is designed with multiple failsafes, and that user data was not compromised by the CloudFlare bug. That would not have prevented data leaking from other sources, though, so users should still reset passwords for individual sites.
1Password, along with other password managers like LastPass, also make it easier to reset many passwords at one time. Dashlane in particular has a lauded one-click password change feature, though it will be most useful for existing users of that service.
Using a password manager is a good security practice in general, so CloudBleed may be good motivation to start. You could even call it a silver lining.