Cloudfare service used by 5.5 million sites may have leaked passwords and auth.tokens

Status
Not open for further replies.
The most surprising thing to me is that their top reward for vulnerabilities found is a t-shirt. A potentially company ending bug is worth $15 bucks. They owe this engineer a shit ton for his efforts.
 
The most surprising thing to me is that their top reward for vulnerabilities found is a t-shirt. A potentially company ending bug is worth $15 bucks. They owe this engineer a shit ton for his efforts.

I will say that as someone who has attempted to work with their support team (not as a customer) regarding security issues, this does not surprise me. I don't think I've encountered another company so dismissive of legitimate security inquiries.
 
I hope GitHub doesn't lead to developers inadvertently allowing easy access to other services said developers use. Sadly I know devs that reuse emails/passwords in many places, important ones even. It could be a real nightmare into some commercial spaces beyond just the affected websites listed.
 
I hope GitHub doesn't lead to developers inadvertently allowing easy access to other services said developers use. Sadly I know devs that reuse emails/passwords in many places, important ones even. It could be a real nightmare into some commercial spaces beyond just the affected websites listed.

Github doesn't use Cloudflare. Very few respectable companies do. They're pretty much the domain of porn sites, illegal shit, and stupidly cheap people.
 
Keep in mind the linked list is probably like 99% not the actual full list of effected websites.

It's still a dangerous precedent and Cloudflare is eternally fucked

The Internet really cannot go on like this. Not sure what the solution is.

I think my wording was bad.

I actually agree with you. It's worst case scenario bad, and even if you don't see a specific site on the list just act like it is anyways.
 
Oh dear. Cloudbleed is upon us.

The information leaked is... super troubling. Even changing passwords won't fix what happened here. Dammit.
 
So if I understand this correctly this is huge in scope, but probably small in amount? Just a very small percentage of any of the communication through the service landed on caches? So while all those services may be affected, it's just very small random amounts of data for each of them, right?
 
Changed my humblebundle password since its on the list. There are lots of other sites I use too but none that I have log-ins for afaik. I'll check the list thoroughly though.
 
Would explain a weird purchase someone made on my NCIX account a couple of weeks back, I guess - thankfully it was an old password that I had migrated from almost all sites, just didn't get around to NCIX as I haven't ordered from them in years, but it could very well have come from one of the others.

Where it leaked from was more interesting to me than the fact it got out there.
 
TBH it's honestly just easier to change all your passwords instead of trying to figure out which ones were used by Cloudflare

Github doesn't use Cloudflare. Very few respectable companies do. They're pretty much the domain of porn sites, illegal shit, and stupidly cheap people.

what the fresh hell is this
 
what the fresh hell is this

I spend a massive chunk of my time each month ensuring a service with a much smaller attack surface than a https proxying edge server is properly secured, so I get a little upset when I see anyone trusting as visibly shifty a company as Cloudflare.

I get why some actual legit sites that aren't serving porn or even child porn or torrents or hocking bitcoins or hosting white supremacist discussions would want to use them; I mean they're cheap. But there's a reason why competitors use special cages with armed guards and entirely separate networks with thorough audits and tracing on just about everything for https traffic, and there's a reason that's expensive, and a reason why it's not worth cheaping out on.
 
I spend a massive chunk of my time each month ensuring a service with a much smaller attack surface than a https proxying edge server is properly secured, so I get a little upset when I see anyone trusting as visibly shifty a company as Cloudflare.

I get why some actual legit sites that aren't serving porn or even child porn or torrents or hocking bitcoins or hosting white supremacist discussions would want to use them; I mean they're cheap. But there's a reason why competitors uses special cages with armed guards and entirely separate networks with thorough audits and tracing on just about everything for https traffic, and there's a reason that's expensive, and a reason why it's not worth cheaping out on.

i do hate their intentional breaking of the entire point of https.. but I don't associate them with shady sites. I associate them with cheap DDoS protection.
 
divWEU8.png


Fuck.
 
This is going to be a fiasco of impressive proportions.

It looks like I should change my discord password, going to have to take note of which others I'll need to refresh.

Github doesn't use Cloudflare. Very few respectable companies do. They're pretty much the domain of porn sites, illegal shit, and stupidly cheap people.
???
 
Deactivated my reddit account. Didn't have anything on it that I need and it's not like I visit that site much so better to get rid of the account altogether. What a mess though.
 
Changed my discord and crunchyroll passwords, dunno why humble isn't letting me. It just keeps refreshing the page without changing the password. Removed my CC from the account just in case. I'm just glad Lastpass isn't affected.
 
Jesus Christ. I wasn't affected by this but I just had to change my mum's TransferWise password because it's on the list.

This service seems incredibly incompetent.
Oh dear. Cloudbleed is upon us.

The information leaked is... super troubling. Even changing passwords won't fix what happened here. Dammit.
Wait, so my mum's credit card info could have been floating around out there? FUCK. What do we do?
 
Status
Not open for further replies.
Top Bottom