Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites. The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – nicknaming it “Cloudbleed” after the 2014 Heartbleed bug – reported it to Cloudflare on February 18, 2017. Cloudflare disabled the compromised software and stopped the leak later the same day.
The leaked data reportedly included passwords, private messages, encryption keys, session cookies that would let an attacker log into an account without a password, IP addresses and other data. Leaked data was exposed to search engine crawlers, which began to automatically cache the data, thus complicating remediation.
As of this writing there have been no publicized reports that leaked data has been exploited and Cloudflare has published analysis concluding that the vast majority of its customers probably were not affected. However, operators of millions of websites and their users are left to wonder whether they were affected and what they should do next.
Below is a summary of what we know now and our thoughts on next steps.