It’s once again time to change your passwords. A bug found in internet infrastructure company Cloudflare’s software has been leaking personal data – including private chat logs and passwords – from hundreds of thousands of websites for months.
Cloudflare, which offers hosting and security services to websites, hosts six million sites, including services like Uber, FitBit, OKCupid and password management program 1Password.
READ MORE: Average cost of data breach in Canada is $6.03M, study finds
According to Google researchers who discovered the bug, now known as “Cloudbleed,” the vulnerability had been sending chunks of data to users’ browsers when they visited a webpage hosted by the company. The bug may have been active since September 2016, but researchers say it was definitely from February 13 until it was discovered on February 18.
Of the leaked data, researchers said they found private messages from dating sites, full messages from chat services, online password data, frames from adult video sites and hotel booking details.
READ MORE: Canadian Tire admits 5 days after breach customer info may have been ‘accessed’
While the leak has the potential to be very dangerous for web users, the company said there is no evidence the data was accessed by hackers.
“We’ve seen absolutely no evidence that this has been exploited,” Cloudflare Chief Technology Officer John Graham-Cumming told Reuters. “It’s very unlikely that someone has got this information.”
Researchers said about 120,000 webpages were leaking information every day. Graham-Cumming noted the company has been working with Google to remove any sensitive data that may have been indexed by search engines.
The website doesitusecloudflare.com has already been set up, allowing users to search through services they have signed up for to see if they might be affected.
How many people might be affected by ‘Cloudbleed’?
Unfortunately, it’s unclear just how many web users may have been affected by the Cloudflare bug. While the company has downplayed the severity of the leaked data and fixed the vulnerability itself, security experts warn there could still be fallout for those who use websites run by Cloudflare.
- B.C. introduces legislation recognizing Haida Gwaii Indigenous title
- Whale experts confident B.C. orca calf will survive, find family if rescue plan succeeds
- Plastic production cap still contentious as Ottawa set to host treaty talks
- Chemical plant shuts down after high benzene levels detected near Ontario First Nation
READ MORE: Ransomware on the rise in Canada – How to protect your data
“While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed,” wrote security expert Ryan Lackey in a blog post.
“Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations. There is always the potential someone malicious discovered this vulnerability independently.”
Dating site OKCupid said its initial investigation revealed “minimal, if any” exposure from the bug. 1Password also said none of its data was found to be at risk.
What can you do to protect yourself?
Lackey and others recommend users change their passwords right away, just in case any leaked data fell into the wrong hands.
“Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, the most cautious is use this as an opportunity to rotate ALL passwords on all of your sites,” he said.
What are the popular sites affected by ‘Cloudbleed’?
- Uber
- OKCupid
- 1Password
- FitBit
- Yelp
- Medium
Tips for creating secure passwords:
Security breaches like this one are a good opportunity to be more proactive about the type of passwords you use. For example, stay away from easy-to-guess passwords like “123456″ or “password” as well as easy to guess identifiers, like your dog’s name.
Experts say passwords that include a mix of letters, numbers and symbols are more secure – but numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.
Passwords that use up to 10 uppercase and lowercase letters mixed with numbers are proven to be more secure – despite being hard to remember.
READ MORE: How to protect yourself from security breaches on social media sites
One tip is to construct a password from a sentence, mix in a few uppercase letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”
And remember, try not to use the same password for any two accounts.
If the website or service you are using offers two-step authentication, experts agree its in your best interest to turn it on.
Two-factor or “two-step” authentication requires the user to set up their account so that a text message containing a secondary login code is sent to their phone every time they log in to their account. That means a hacker would have to have both your password and your cellphone in order to get access to your accounts.
– With files from Reuters
Comments