Cloudbleed Bug Impacts Large Swath of the Internet

Posted on March 7, 2017

Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites. The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – nicknaming it “Cloudbleed” after the 2014 Heartbleed bug – reported it to Cloudflare on February 18, 2017. Cloudflare disabled the compromised software and stopped the leak later the same day.

The leaked data reportedly included passwords, private messages, encryption keys, session cookies that would let an attacker log into an account without a password, IP addresses and other data. Leaked data was exposed to search engine crawlers, which began to automatically cache the data, thus complicating remediation.

As of this writing there have been no publicized reports that leaked data has been exploited and Cloudflare has published analysis concluding that the vast majority of its customers probably were not affected. However, operators of millions of websites and their users are left to wonder whether they were affected and what they should do next.

Below is a summary of what we know now and our thoughts on next steps.

UK Hedge Fund Standards Board issues cybersecurity guidance

By Marcus Evans (UK) on October 4, 2015

The UK Hedge Fund Standards Board (HFSB) announced on September 17, 2015, that it has added a “Cybersecurity Memo” to its Toolbox function. The Toolbox provides guidance to managers, investors, and fund directors on fund-related issues such as governance, internal processing, and reporting. The Toolbox acts as a complement to the HFSB’s standard-setting activities.

Data Protection Report

incident response plan

Cloudbleed Bug Impacts Large Swath of the Internet

UK Hedge Fund Standards Board issues cybersecurity guidance

About

Topics

Archives