User data from 3,400 websites has been leaked and cached by search engines as a result of a bug in Cloudflare, a content delivery network. Sites affected over the course of several months include major ones like Uber, Fitbit and dating site OKCupid. 1Password also uses Cloudflare, but says that end-to-end encryption means that no customer data was exposed.
ArsTechnica reports that the leaks were spotted by Google security researcher Tavis Ormandy.
We observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.
Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident …
A Cloudflare blog post acknowledges that the issue was serious, but says there is no evidence of it having been exploited.
The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
Ormandy responded by writing:
[The company’s blog post] contains an excellent postmortem, but severely downplays the risk to customers.
Security researcher Ryan Lackey agrees, saying that while the likelihood of passwords being exposed is low, that risk does exist and that users are advised to change them.
While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet […]
The most sensitive information leaked is authentication information and credentials. A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced. From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords.
Google, Bing, Yahoo and other search engines have been working on clearing cached data from the breach before anyone went public, hence the delayed notification, but ArsTechnica notes that some cached data remains.
In an unrelated incident, Google users have found themselves logged out of their accounts, with some Google Wi-Fi and OnHub routers also reset. Google has acknowledged the issue but says that there is no indication of any security threat.