Late last week, internet infrastructure company Cloudflare confirmed that potentially sensitive customer data had been leaked across the internet for as long as the last five months. The leak, now being referred to as “Cloudbleed,” includes session tokens, passwords, private messages, API keys, and other sensitive data by sites powered by Cloudflare. The bug has now been patched by the company. However, leaked data remains cached by search engines which are gradually removing it.
Was RoboForm affected?
No. RoboForm does not use Cloudflare.
What sites were affected?
There is no official list. However, a GitHub user has compiled a list of over 4 million sites that were potentially affected, including many large sites such as Fitbit, Uber, and Medium. This list is comprised of all domains that use Cloudflare DNS, not just the subset with the three features causing the leak.
How much data was leaked?
Cloudflare states that “The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).”
According to Ryan Lackey, who worked on security at Cloudflare until 2015 when he left to start his own company: “Essentially, [a] broad range of data was potentially at risk, but the risk to any individual piece of data was very low. Regardless, unless it can be shown conclusively that your data was NOT compromised, it would be prudent to consider the possibility it has been compromised.”
How to keep your logins safe
For the time being, it appears that a relatively small amount of individual credentials might have been exposed in this leak. If you do have an account with a site you believe may have been affected by Cloudbleed, there are some safety precautions you can take. One is to change your password. Another is resetting session tokens by logging in and out.
If you do change your passwords, remember:
- Use a password manager. This may seem self-serving for us to say, but it’s true. By using a password manager, you are more likely to keep each app or website’s password unique, reducing the likelihood of a hacker gaining total access to your online identity through duplicated passwords.
- Make passwords complex and impersonal. Leverage both upper and lowercase letters along with symbols and numbers were applicable. Ensure the password is random and can never be guessed based on general knowledge others may have about you.
- Don’t use the same password on more than one site. In the event one of your passwords is leaked, you want to limit any potential damage to only one site.