602-492-3499

Cloudflare's Cloudbleed HTTPS Traffic Leak

Cloudflare has experienced an issue exposing personal information of anyone who may have visited sites using Cloudflare services. Cloudflare services are on some of the biggest sites on the Internet. Sites likely to use Cloudflare are: Gaming, social, porn, and file sharing.

You should change your passwords. Google / Microsoft services do not use Cloudflare.

Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using Cloudflare's proxy services (including HTTP & HTTPS proxy).

A list of sites on the top 10,000 most trafficed sites. Just because the website you visit is not on that list does not mean it does not use Cloudflare.
https://github.com/pirate/sites-using-cloudflare

A few notable sites

authy.com
coinbase.com
bitcoin.de
betterment.com
transferwise.com
prosper.com
digitalocean.com (no leaked data found in several search engine caches)
patreon.com
bitpay.com
news.ycombinator.com
producthunt.com
medium.com
4chan.org
yelp.com
okcupid.com
zendesk.com
uber.com
poloniex.com
localbitcoins.com
kraken.com
23andme.com
curse.com (and some other Curse sites like minecraftforum.net)
counsyl.com
tfl.gov.uk
account.leagueoflegends.com
myaccount.nytimes.com
technicpack.net
namecheap.com (no leaked data found in several search engine caches)
discordapp.com (affected)
glassdoor.com (no leaked data found in several search engine caches)
vultr.com (no leaked data found in several search engine caches)
fastmail.com (not affected, #2)
1password.com (not affected)