The security firm Cloudflare disclosed late Thursday that a long-running bug in its security systems may have leaked information, including potentially personal information, from thousands of sites including Uber, Fitbit and OKCupid.
The problem was first uncovered by Google security expert Tavis Ormandy , who let Cloudflare know about the issue on Feb. 18. But the service had been leaking information for months in a way that allowed search engines to pick it up, according to Cloudflare.
The issue is only known to have affected a small portion of the 5.5 million sites that Cloudflare services. Cloudfare did not release a comprehensive list of affected sites, though researchers have been trying to compile them. However, there may be some companies listed as leaking information that were not. For example, password manager 1Password told its users that none of their data were put at risk.
Because there’s so little information about the sites and Cloudflare services are widely used, it’s a good idea to change your passwords on any site, in a “better safe than sorry” sort of way.
Computer science professor Matthew Green compared the situation to a food recall. “It’s probably not going to affect you, but it’s hard to say,” said Green, who works at Johns Hopkins University. “Maybe you find that a few containers of yogurt have some added bacteria. Probably, you can go eat yogurt. But would you want to?”
Cloudflare posted a technical explanation of the problem to its blog. Essentially, the company was changing over from older code to newer code. Running both at the same time created an unforeseen issue that, when combined with some other features that Cloudflare offers, caused a data leak.
“They were testing the security of the new code, but what they were not doing was addressing the legacy code and how that would interact with the new software that was being introduced,” said Troy Leach, chief technology officer for the PCI Security Standards Council, a group that focuses on cybersecurity in the payment industry”.
Cloudflare said it has fixed the problem and is working to get the pages with personal information taken off search engines.
For what it’s worth, however, Cloudflare has said it hasn’t heard of any personal information from this leak being used in a malicious way. But as other security experts have said in blog posts and other commentary on the leak, there’s really no way to prove that.
This incident does, however, point to two things we should remember about the Internet.
One is that much of it is run with the products of companies that most average users never see or have any knowledge about. Cloudflare is one of those companies; it’s one of the go-to businesses for banks, retailers, messaging services and others that rely on it to safeguard their traffic. It’s one company that underpins a lot of the Web activity people use every day.
The second thing to note is that the Internet can be more chaotic and less polished than we often think. In Cloudflare’s case, a simple mistake affected millions of people.
“All of these systems are built quickly and by human beings who are writing code and trying to get things working in complicated environments,” Green said. “At start-ups like Cloudflare, which move fast, one person can write a piece of code and have half a billion people using it the next day.”