Friday February 24, 2017

Cloudflare Cloudbleed Bug Expose Customers' Customer Data

Cloudflare has let us know that a bug possibly exposed data of its customers' customers. Both HardOCP and HardForum sit behind Cloudflare technologies. So yes this story hits home for HardForum users, but Cloudflare has let us know that that we were not exposed in the breech. You can read up on this incident here. To be honest though, I would suggest you change your HardForum Password anyway. It is the smart thing to do. You can read the email sent to me by Cloudflare this morning below.

News Image

In our review of these third party caches, we discovered exposed data on approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Discussion