It may be time to change those passwords, as internet service provider Cloudflare discovered a bug in its code in September 2016, as reported by PBS. The bug may have far-reaching effects as customer information, such as passwords, cookies and personal information from several high profile brands has steadily been leaking out the past few months.
The bug is significant as Cloudflare manages 10% of all web traffic, helping brands avoid cyber attacks. It’s a convenient service for its clients, but the Chicago Tribune reported personal information of customers that are tied to some of Cloudflare’s clients (which include Uber, FitBit, and OKCupid) are part of the leak. The Tribune wrote this had not been an overnight situation, as Cloudflare has reportedly been leaking customer’s info for several months.
The leak was discovered by Google security expert Tavis Ormandy, as the personal information was quickly picked up by search engines. Cloudflare did not release a full list of the affected sites but noted it wasn’t widespread. Cloudflare pointed out in a statement the greatest stretch of impact was between February 13 and February 18, where “1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.”
Several search engines have tried to scrub user’s sensitive details, but there is still some information floating around there. TechCrunch has a full list of Cloudflare customers to double check but recommends changing passwords.