Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
Google’s Project Zero team detected a huge data leak on Friday 24 February which may persuade you to change all your passwords.
According to Cloudflare’s incident report, a bug exposed private session keys and other sensitive data of 2 million sites on the Cloudflare network.
Once again – no one is safe!
Cloudflare is a company that provides web security to an estimated 5.5 million websites on the internet. Websites that could potentially be affected include well-known sites such as Uber, Transferwise, Weebly and OKCupid. A full list can be seen here (https://github.com/pirate/sites-using-cloudflare).
The problem was first noticed by Tavis Ormandy from Google’s bug team when he saw corrupted web pages being returned by some HTTP requires that run through Cloudflare.
For example, if you visited an affected website, the data could be returned from a previous request from the website. Pen Test Partners whitehat hacker Andrew Tierney explained: “This sensitive data could’ve been returned to anyone”.
Multiple Twitter users have sought to get #CloudBleed trending to notify people to change their passwords after the serious data breach. Other users have seen the silver lining in the situation by making a dark joke of “Happy password reset day”.
Some may joke about the event, but seeing the speed and trend of data breaches, there may well be a dedicated day in the near future. It’s not such a bad idea as this will highlight the importance of data security for companies and businesses alike, as well as highlighting to individuals the proactive approach they must take to prevent being victimised by such cyber-crimes.
Cloudflare’s response method can be seen on their website. They said that the problem was identified quickly and managed to turn off three minor Cloudflare features that were using the same HTML chain that was the cause of the data leak.
Due to the seriousness of the bug, a cybersecurity team from software engineering infosec and operations were formed in San Francisco and London to diagnose and understand the cause of the leak. Having a global team allowed them to work on the problem for 24 hours a day. The team has highlighted the advantages of this service; a reported bug can be fixed in minutes to hours instead of months. Cloudflare backed this up by saying that the standard time to fix a bug can usually take up to three months, however they stated that the bug was fixed in under 7 hours, with the initial mitigation of the effects done in 47 minutes.
Some may say that the reaction time of Cloudflare was extremely speedy following the ‘Cloudbleed’ scenario as a team was assembled in San Francisco just 30 minutes after Mr Ormandy tweeted:
Could someone from cloudflare security urgently contact me.
— Tavis Ormandy (@taviso) February 18, 2017
Though the effects may have been mitigated, and the bug fixed in an extraordinarily swift amount of time, we mustn’t forget that that the bug was serious and the leaked memory could’ve contained private and sensitive information.
It’s a good thing that the Google team contacted Cloudflare and are working closely with them to rectify the problems that may arise following the memory leak.
Cloudflare has learned their lesson and has taken extra precautions with the new HTML server; the cybersecurity team spent hours verifying the new server to ensure that it didn’t contain any cybersecurity problems. The team is also continually reviewing the older software in search for potential other cybersecurity issues.
The only helpful advice that can be given at this moment in time is to terminate all related sessions and change all passwords for affected accounts.
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020