Your website is most likely not affected

We learned of the Cloudflare data leak (dubbed “Cloudbleed”) late last night, and have dug into the issue – long story short, I think it’s a non-issue for almost all sites at this point. Only every 1 in 3 million requests were affected, across a few thousand sites that run through Cloudflare, with network data being output on a few dozen sites that were indexed and cached by search engines. “With the help of Google, Yahoo, Bing, and others, we found 770 unique URIs that had been cached and which contained leaked memory,” said Cloudflare. “Those 770 unique URIs covered 161 unique domains.”

We’re taking proactive precautionary steps of invalidating all WordPress login cookies by changing all authentication keys and salt values across all sites on our servers, in the almost impossible case of any cookie values are being cached privately somewhere and being able to be linked back to a particular site. Users simply log back in, and their cookies are recreated automatically, and they are back to normal.

As an extra security precaution, changing your passwords for websites you have on Cloudflare can’t hurt, but we don’t think it’s needed.

If we learn of any real threat that crops up later, we’ll reach back out and take more action as needed.

We are still using and recommending Cloudflare

We are still using and recommending Cloudflare be used, now that this issue has caused them to audit their systems end to end, they have already improved security and will likely do even more in the coming days. The services Cloudflare provides help server performance, site performance, site security, site reliability, and free 15-year SSL certificates.

If you’re interested in getting your website on Cloudflare, reach out and we can help you get that set up.

Use a Password Manager
As reassurance, those using password managers LastPass (we use and recommend) and 1Password are safe, even though 1Password does run it’s site through Cloudflare:
https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/
and
https://blog.lastpass.com/2017/02/two-security-bulletins-sha-1-collision-attack-and-cloudflare-incident.html/

For those interested, technical details on the Cloudbleed data leak

Their looong blog post with code level explanations:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Within 7 hours of being notified they’ve fixed the bug causing the random data leak of a few thousand domains that happened over just a few days for the most part, and worked with search engines to purge caches of any data leaks that were indexed and cached.

Google found the problem and reported it to them, here’s their post:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Here’s a distillation of still-affected domains showing up in caches:
http://doma.io/2017/02/24/list-of-affected-cloudbleed-domains.html