Cloudbleed: What you need to know and what you need to do

Hide your keys, hide your phone
Hide your keys, hide your phone (Image credit: Android Central)

On February 17, 2017, vulnerability researcher from Google's Project Zero Tavis Ormandy stumbled across what looked like a really nasty data leak from Cloudflare, a web performance and security company. He quickly contacted the "right" people at Cloudflare and the situation was addressed in less than an hour.

Any data breach can be significant. Especially when a service has over one billion users. We'll direct you to the Cloudflare incident report for the full details of what happened (warning: it's pretty technical). In layman's terms, data was leaked that was potentially sensitive. This data was available to anyone, even web spiders used by search engines. SSL keys were not leaked.

The Cloudflare features that used the affected HTML parser (email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites) were in use by a lot of companies. Most likely companies that you have online accounts with, This means your data may have been exposed.

Mobile Nations uses some of Cloudflare's services. In fact, you'll find us on the list floating around of sites potentially affected. We have verified that the affected services aren't in use nor have ever been used on any Mobile Nations sites.

See more

We also received notice from Cloudflare about the leak and they had this to say:

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

Look for a similar statement from other places you have an account with for information about your data that may have been exposed.

What should I do

Like most big security instances, we'll never know the full details of what was and wasn't leaked out. We can confirm that we aren't using the services that were mentioned as vulnerable, but we don't know how anything else on Cloudflare's servers might have been affected. Every Cloudflare customer is in the same boat.

That means it's time for you to get proactive.

Change the password for all of your online accounts

Yes, this sucks, but know what sucks more? Having someone get your details and have access to stuff you don't want them to have access to. Use a password manager and let it make crazy passwords and remember them for you if you don't have your own password management routine. If you haven't used a password manager in the past but wanted to check one out, now is a perfect time.

More: Best password managers for Android

Now is also a good time to remember that you should be changing your passwords regularly, which makes a password manager a must if you have a lot of accounts.

Enable two-factor authentication on every account that has it available as an option

If you have two-factor authentication enabled, someone else with your login details still won't be able to access your account. Two-factor authentication can also be a pain in the butt sometimes, but it's the best way to protect yourself when a big data breach happens, like the one we're seeing now.

Here are some resources on two-factor authentication.

Nothing we can do will prevent these kinds of data leaks. The important thing is what we can do to protect ourselves when they happen,

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • wow. people should try to keep everything private on their devices and external storages. all emails and cloud stuff with any sensitive information should be deleted shortly after exchange.
  • gmail/google isn't on the list. not sure why you used that pic
  • Thousands of sites that use Google Login were on that list.
  • I have literally hundreds of online accounts though :/ I don't want a password manager as if anyone gets hold of the master password then everything is compromised instantly. It sounds inherently insecure.
  • I have hundreds of online accounts as well, and switched to a password manager years ago. Because even if you refuse to trust your password manager with the accounts you truly care about, using one to generate and store passwords eliminates (or at least, greatly reduces) the temptation to use or reuse crappy passwords on J.Random's Web Forums of Dubious Security, so if J.Random announces that the dog he was writing user passwords on ran away, you don't have to worry that the password you used there leaks /any/ information about passwords you used anywhere else. Also, it's not like you're forced to store the /entire/ password in your password manager.
  • I never use any cloud stuff, I have plenty of places to backup to without putting it all on some other persons database...
    What info can they get if they hacked this site?
  • Personally I would never use a password manager. I'm just waiting for the first "Password manager software hacked!" article for it to all come crashing down. I keep mine on a piece of paper in a book. At least that way the 'hacker' has to actually break into my home and find it which is probably several orders of magnitude more difficult than any online solution.
  • Why are we suddenly getting loads of spam links appearing on these forums? Seen them on Windows central too
  • Right?? there must be a way to report posts as spam so the accounts can be deleted and minimize the problem
  • There must be an automated recognition script for refusing these comments as well
  • There is, but if you dial things in too tight legit comments get flagged. They come in waves. Articles about Verizon and T-Mobile, as well as articles like this one bring them in. When all their bots get banned they'll move on to something else.
  • My method: use crazy passwords for banking and vital paid services, then memorize them, write them down and keep a physical copy somewhere safe; everything else just use the same damn password. I mean like who's going to hack your Netflix account anyways (other than crazy ex gf). I am not letting a third party handle my passwords ever.