Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites.  The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – nicknaming it “Cloudbleed” after the 2014 Heartbleed bug – reported it to Cloudflare on February 18, 2017.  Cloudflare disabled the compromised software and stopped the leak later the same day.

The leaked data reportedly included passwords, private messages, encryption keys, session cookies that would let an attacker log into an account without a password, IP addresses and other data.  Leaked data was exposed to search engine crawlers, which began to automatically cache the data, thus complicating remediation.

As of this writing there have been no publicized reports that leaked data has been exploited and Cloudflare has published analysis concluding that the vast majority of its customers probably were not affected.  However, operators of millions of websites and their users are left to wonder whether they were affected and what they should do next.

Below is a summary of what we know now and our thoughts on next steps.

Several significant distributed denial-of-service (“DDoS”) attacks have taken place in the last few weeks, including a major event involving a domain name service provider (Dyn), which caused outages and slowness for many popular sites like Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. This significant attack came on the heels of two major DDoS attacks against KrebsonSecurity and France-based hosting provider, OVH, in late September—each of which set records as the largest of these attacks in history. Most recently, nearly 900,000 Deutsche Telekom routers in Germany were attacked, causing significant internet and television outages across the country. While DDoS attacks have been around for some time, what stands out in these cases is the attackers’ exploitation of security weaknesses in tens of thousands of Internet-of-Things (“IoT”) devices to launch the attacks. Unfortunately, these types of widespread outages may be more common in the future if these weaknesses are not addressed.