'Cloudbleed' Bug May Have Exposed Millions Of Sites' User Passwords

Posted: Updated:

Tech experts are urging subscribers to numerous online services to change their passwords after a possible leak of user data.

The leak, which techies are calling “Cloudbleed,” involves Cloudflare, a web services company used by many large websites. An analyst at Google’s Project Zero noticed a bug in Cloudflare’s code that occasionally allowed personal user data to be indexed by search engines.

Hackers could potentially find that data and use it to compromise people’s accounts. However, Cloudflare said in a blog post that, so far, it has “not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

The leaks happened between Sept. 22, 2016, and Feb. 18, 2017, when they were discovered by Project Zero and fixed by Cloudflare. According to Gizmodo, nearly 4.3 million domain names may have been affected.

cloudflare matthew prince
Cloudflare CEO Matthew Prince. (Photo: TechCrunch via Flickr)

Cloudflare didn’t say who among its clients may have been affected by the bug in its proxy service, but tech blog GitHub has published a list of possibly affected sites. The list includes major names such as Uber, Yelp, OKCupid and 23andme.

UPDATE 5:22 PM ET: 23and me says it has been told by Cloudflare that the gene-testing company has not been affected by the bug. "We will continue to investigate and update our customers accordingly," a spokesperson told HuffPost Canada in an email.

UPDATE 8:14 PM ET: Uber says none of its users' passwords were involved.

"Only a small fraction of Uber traffic goes through Cloudflare, so the impact was limited to a handful of session tokens, which we've already changed," a spokesperson said.

UPDATE 2017-02-28: A Glassdoor spokesperson says the company has been told by Cloudfflare that "Glassdoor users are not impacted in any way. We will continue to monitor the situation. We take the privacy of our users very seriously."

GitHub adds the disclaimer that the list “contains all domains that use cloudflare DNS, not just the cloudflare proxy (the affected service that leaked data).”

In other words, some of these sites may prove not to have been compromised. Domain names are being struck off this list as information rolls in. Check for updates.

  • 4chan.org
  • authy.com
  • betterment.com
  • bitpay.com
  • change.org
  • coinbase.com
  • curse.com (and some other Curse sites like minecraftforum.net)
  • digitalocean.com
  • extratorrent.com
  • feedly.com
  • fitbit.com
  • localbitcoins.com
  • medium.com
  • news.ycombinator.com
  • okcupid.com
  • pastebin.com
  • patreon.com
  • poloniex.com
  • producthunt.com
  • prosper.com
  • tfl.gov.uk
  • transferwise.com
  • thepiratebay.org
  • yelp.com
  • zendesk.com

Check the GitHub site for a list of the 10,000 highest-traffic sites that may have been affected by this bug.

Follow The Huffington Post Canada on Facebook, Twitter, and Instagram.

Also on HuffPost:

Worst passwords
Share this
Current Slide

Suggest a correction