What you need to know about ‘Cloudbleed,’ the latest internet security bug

It's time to change your passwords one again, thanks to a potentially massive data leak. Nico De Pasquale Photography/Flickr

It’s once again time to change your passwords. A bug found in internet infrastructure company Cloudflare’s software has been leaking personal data – including private chat logs and passwords – from hundreds of thousands of websites for months.

Cloudflare, which offers hosting and security services to websites, hosts six million sites, including services like Uber, FitBit, OKCupid and password management program 1Password.

READ MORE: Average cost of data breach in Canada is $6.03M, study finds

According to Google researchers who discovered the bug, now known as “Cloudbleed,” the vulnerability had been sending chunks of data to users’ browsers when they visited a webpage hosted by the company. The bug may have been active since September 2016, but researchers say it was definitely from February 13 until it was discovered on February 18.

Of the leaked data, researchers said they found private messages from dating sites, full messages from chat services, online password data, frames from adult video sites and hotel booking details.

Story continues below advertisement

READ MORE: Canadian Tire admits 5 days after breach customer info may have been ‘accessed’

Click to play video: 'Canadian Tire website breached, customer accounts in question' Canadian Tire website breached, customer accounts in question
Canadian Tire website breached, customer accounts in question – Feb 8, 2017

WATCH ABOVE: One of Canada’s largest in-store and online retailers has acknowledged it suffered a security breach forcing it to prevent customers from checking their points and credit card accounts. Sean O’Shea reports.

While the leak has the potential to be very dangerous for web users, the company said there is no evidence the data was accessed by hackers.

“We’ve seen absolutely no evidence that this has been exploited,” Cloudflare Chief Technology Officer John Graham-Cumming told Reuters. “It’s very unlikely that someone has got this information.”

Researchers said about 120,000 webpages were leaking information every day. Graham-Cumming noted the company has been working with Google to remove any sensitive data that may have been indexed by search engines.

Story continues below advertisement

The website has already been set up, allowing users to search through services they have signed up for to see if they might be affected.

How many people might be affected by ‘Cloudbleed’?

Unfortunately, it’s unclear just how many web users may have been affected by the Cloudflare bug. While the company has downplayed the severity of the leaked data and fixed the vulnerability itself, security experts warn there could still be fallout for those who use websites run by Cloudflare.

READ MORE: Ransomware on the rise in Canada – How to protect your data

“While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed,” wrote security expert Ryan Lackey in a blog post.

“Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations. There is always the potential someone malicious discovered this vulnerability independently.”

Dating site OKCupid said its initial investigation revealed “minimal, if any” exposure from the bug. 1Password also said none of its data was found to be at risk.

Story continues below advertisement

What can you do to protect yourself?

Lackey and others recommend users change their passwords right away, just in case any leaked data fell into the wrong hands.

“Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, the most cautious is use this as an opportunity to rotate ALL passwords on all of your sites,” he said.

What are the popular sites affected by ‘Cloudbleed’?

  • Uber
  • OKCupid
  • 1Password
  • FitBit
  • Yelp
  • Medium

Tips for creating secure passwords:

Security breaches like this one are a good opportunity to be more proactive about the type of passwords you use. For example, stay away from easy-to-guess passwords like “123456″ or “password” as well as easy to guess identifiers, like your dog’s name.

Experts say passwords that include a mix of letters, numbers and symbols are more secure – but numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.

Passwords that use up to 10 uppercase and lowercase letters mixed with numbers are proven to be more secure – despite being hard to remember.

Story continues below advertisement

READ MORE: How to protect yourself from security breaches on social media sites

One tip is to construct a password from a sentence, mix in a few uppercase letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”

And remember, try not to use the same password for any two accounts.

If the website or service you are using offers two-step authentication, experts agree its in your best interest to turn it on.

Two-factor or “two-step” authentication requires the user to set up their account so that a text message containing a secondary login code is sent to their phone every time they log in to their account. That means a hacker would have to have both your password and your cellphone in order to get access to your accounts.

– With files from Reuters

Sponsored content