Change your passwords!

Status
Not open for further replies.

Red5

Webmaster, UsingEnglish.com
Staff member
Joined
Nov 13, 2002
Member Type
Interested in Language
Native Language
British English
Home Country
England
Current Location
England
Dear UsingEnglish.com community,

Over the last few days there has been a lot of buzz on the internet about something called CloudBleed.

TL/DR
In short, web services and security company Cloudflare found a tiny bug which has led to an unknown quantity of data - including passwords, personal information, messages, cookies, and more - to leak all over the internet. In other words: it’s time to change your passwords. All of them.

Summary
The services from Cloudflare are used behind some of the largest and most popular sites on the internet, including UsingEnglish.com. Cloudflare has fixed the core bug which caused this issue, but the bad news is that sites have been leaking data for months now, possibly since September last year.

UsingEnglish.com started using Cloudflare on January 7th this year, abut many many other sites on the internet use Cloudflare. Their clients include huge companies like Uber, OKCupid, 1Password, and FitBit (thankfully 1Password claim that their user data is safe).

Due to the way the leak happened, the exposed data was also cached by Google and other sites, which means that anyone can potentially find and view this data. Cloudflare now has to hunt it all down before hackers find it.

The fact that so much of that data was cached across different sites means that, while Cloudflare’s initial patch stopped the leaking, the company needs to do lots of hunting around the web to ensure that all of the leaked data gets scrubbed. And even worse, even sites that don’t use Cloudflare's service - but have a lot of Cloudflare users - might have compromised data on their servers.

However, for now, you should change your passwords - all of them - and implement two-factor authentication everywhere you can.

Entrepreneur and security expert Ryan Lackey has offered some good advice:


Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites.
...
Users should also log out and log in to their mobile applications after this update. While you’re at it, if it’s possible to use 2FA or 2SV with sites you consider important.

More information

Much of the information in this post has been cobbled together directly from this post on Gizmodo. I am not a security expert, but I needed to provide UsingEnglish.com users with the information they needed to secure their profiles here and logins elsewhere on the web.

You may find the following resources of interest too:


 
Although it is worth pointing out that we don't store much personal data- we have an email address and a date of birth, which could be true or not. We don't have any further information.
 
The valuable information would be users' login credentials - username and password. Many people routinely use the same credentials for multiple accounts.
 
As Tdol said, it's true that we have very little personal information here at UsingEgnlish.com. It's also true, as GoesStation suggests, that people could potentially detect passwords and emails used here and be able to access other logins for a user on other sites.

However, leaked data from other sites includes a raft of things I'm sure users would rather keep private. The secruity professional who discovered this issue, Tavis Ormandy, wrote:

We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

This definitely needs to be taken very seriously, and passwords need to be changed. The risk to accounts being compromised is significant.
 
The valuable information would be users' login credentials - username and password. Many people routinely use the same credentials for multiple accounts.

Good point, but bad policy.
 
Thank you Red5. Yours was by far the most informative discussion of the topic I have seen. I shall certainly follow your recommendations. Thank you again.
 
Last edited:
Status
Not open for further replies.
Back
Top