Support NeoGAF

[greepoman]

I don't have accounts on any of the sites listed so far. What are some of the other 1600+?

link of 10,000 + a download of 4 million

 

[BreezyLimbo]

So I'm trying to go to https://www.uber.com to change my password

but it keeps directing me to what appears..to be the thai website?

 

[Kthulhu]

Brb just gonna rest all of my passwords now.

 

[Vanillalite]

Keep in mind the linked list is probably like 99% not the actual full list of effected websites.

 

[TheCochese]

Thankfully only one or two sites on that list that I use, but I'm not going to go through that download.

 

[Lace]

The most surprising thing to me is that their top reward for vulnerabilities found is a t-shirt. A potentially company ending bug is worth $15 bucks. They owe this engineer a shit ton for his efforts.

 

[Diablos]

Keep in mind the linked list is probably like 99% not the actual full list of effected websites.

It's still a dangerous precedent and Cloudflare is eternally fucked

The Internet really cannot go on like this. Not sure what the solution is.

 

[Joyful]

wew lad this is a big fuckup

 

[stump sock]

The most surprising thing to me is that their top reward for vulnerabilities found is a t-shirt. A potentially company ending bug is worth $15 bucks. They owe this engineer a shit ton for his efforts.

I will say that as someone who has attempted to work with their support team (not as a customer) regarding security issues, this does not surprise me. I don't think I've encountered another company so dismissive of legitimate security inquiries.

 

[Ozzy Onya A2Z]

I hope GitHub doesn't lead to developers inadvertently allowing easy access to other services said developers use. Sadly I know devs that reuse emails/passwords in many places, important ones even. It could be a real nightmare into some commercial spaces beyond just the affected websites listed.

 

[SapphiCine]

If I haven't used some of those sites during the time frame, would anything have been leaked?

 

[SchrodingerC]

Thank god for password managers, as long as they stay secure and encrypted.

 

[PumpkinSpice]

I hope GitHub doesn't lead to developers inadvertently allowing easy access to other services said developers use. Sadly I know devs that reuse emails/passwords in many places, important ones even. It could be a real nightmare into some commercial spaces beyond just the affected websites listed.

Github doesn't use Cloudflare. Very few respectable companies do. They're pretty much the domain of porn sites, illegal shit, and stupidly cheap people.

 

[Vanillalite]

Keep in mind the linked list is probably like 99% not the actual full list of effected websites.

It's still a dangerous precedent and Cloudflare is eternally fucked

The Internet really cannot go on like this. Not sure what the solution is.

I think my wording was bad.

I actually agree with you. It's worst case scenario bad, and even if you don't see a specific site on the list just act like it is anyways.

 

[Kyrios]

Jesus Christ, Cloudflare.

Time to change some passwords just in case.

 

[PumpkinSpice]

If I haven't used some of those sites during the time frame, would anything have been leaked?

No, the security hole was just ("just") leaking entire unencrypted https packets. So only active comm during that timeframe would be compromised.

 

[megarockexe]

Wow that list is gigantic. But quite a few notable sites on there. Will we actually see any affects of this soon though?

 

[SapphiCine]

I see Glassdoor on the list. That's going to be really bad for some people.

 

[Blizzard]

Github doesn't use Cloudflare. Very few respectable companies do. They're pretty much the domain of porn sites, illegal shit, and stupidly cheap people.

Stack Overflow, Betterment, Digital Ocean, Reddit, Yelp, and Uber are pretty well known though.

 

[LurkerPrime]

Oh dear. Cloudbleed is upon us.

The information leaked is... super troubling. Even changing passwords won't fix what happened here. Dammit.

 

[Vanillalite]

Uber big as a fuck ton of regular people in major cities use them.

 

[Spiral Insanity]

Uber big as a fuck ton of regular people in major cities use them.

They do not have a password change function.

Their reset password emails cause a 500 error.

This is thread-worthy, I can't believe how they fucked up.

 

[Garou]

So if I understand this correctly this is huge in scope, but probably small in amount? Just a very small percentage of any of the communication through the service landed on caches? So while all those services may be affected, it's just very small random amounts of data for each of them, right?

 

[Willy Wanka]

Changed my humblebundle password since its on the list. There are lots of other sites I use too but none that I have log-ins for afaik. I'll check the list thoroughly though.

 

[DJ_Lae]

Would explain a weird purchase someone made on my NCIX account a couple of weeks back, I guess - thankfully it was an old password that I had migrated from almost all sites, just didn't get around to NCIX as I haven't ordered from them in years, but it could very well have come from one of the others.

Where it leaked from was more interesting to me than the fact it got out there.

 

[LiK]

Fucking hell, this is super annoying.

 

[Core Zero]

Soooo... Any good recommendations for a password manager? It's well past that time for me.

 

[Kyrios]

Is Amazon and Google affected by this at all?

 

[Trouble]

Is Amazon and Google affected by this at all?

No, neither of them use cloudflare.

 

[Kthulhu]

Soooo... Any good recommendations for a password manager? It's well past that time for me.

LastPass is GOAT. 1Password if you don't like the idea of a company having that stuff on a server, even though it's encrypted.

 

[Kyrios]

No, neither of them use cloudflare.

Thanks so much!

 

[SchrodingerC]

Soooo... Any good recommendations for a password manager? It's well past that time for me.

LastPass is the savior and saint.

 

[FyreWulff]

TBH it's honestly just easier to change all your passwords instead of trying to figure out which ones were used by Cloudflare

Github doesn't use Cloudflare. Very few respectable companies do. They're pretty much the domain of porn sites, illegal shit, and stupidly cheap people.

what the fresh hell is this

 

[Ran rp]

www.doesitusecloudflare.com

 

[Trouble]

www.doesitusecloudflare.com

lol that site is getting slammed right now

 

[PumpkinSpice]

what the fresh hell is this

I spend a massive chunk of my time each month ensuring a service with a much smaller attack surface than a https proxying edge server is properly secured, so I get a little upset when I see anyone trusting as visibly shifty a company as Cloudflare.

I get why some actual legit sites that aren't serving porn or even child porn or torrents or hocking bitcoins or hosting white supremacist discussions would want to use them; I mean they're cheap. But there's a reason why competitors use special cages with armed guards and entirely separate networks with thorough audits and tracing on just about everything for https traffic, and there's a reason that's expensive, and a reason why it's not worth cheaping out on.

 

[FyreWulff]

I spend a massive chunk of my time each month ensuring a service with a much smaller attack surface than a https proxying edge server is properly secured, so I get a little upset when I see anyone trusting as visibly shifty a company as Cloudflare.

I get why some actual legit sites that aren't serving porn or even child porn or torrents or hocking bitcoins or hosting white supremacist discussions would want to use them; I mean they're cheap. But there's a reason why competitors uses special cages with armed guards and entirely separate networks with thorough audits and tracing on just about everything for https traffic, and there's a reason that's expensive, and a reason why it's not worth cheaping out on.

i do hate their intentional breaking of the entire point of https.. but I don't associate them with shady sites. I associate them with cheap DDoS protection.

 

[Kthulhu]

Fuck.

 

[Elfforkusu]

This is going to be a fiasco of impressive proportions.

It looks like I should change my discord password, going to have to take note of which others I'll need to refresh.

Github doesn't use Cloudflare. Very few respectable companies do. They're pretty much the domain of porn sites, illegal shit, and stupidly cheap people.

???

 

[spawnsniper]

Ho lee shit!

 

[BigJonsson]

Only use a few of the major sites listed and changed passwords, what is up with Uber?

 

[Kthulhu]

God damnit Reddit is giving me a 500 error.

 

[Aarglefarg]

I see opencritic on the list.
Destructoid as well.
Humble Bundle as some more people have said.

 

[Chanser]

Better change my coinbase password.

 

[HungOverOnATues]

Holy shit. Time to change passwords for... everything, I guess. Unbelievable.

 

[Vectorman]

Deactivated my reddit account. Didn't have anything on it that I need and it's not like I visit that site much so better to get rid of the account altogether. What a mess though.

 

[nyan]

Changed my discord and crunchyroll passwords, dunno why humble isn't letting me. It just keeps refreshing the page without changing the password. Removed my CC from the account just in case. I'm just glad Lastpass isn't affected.

 

[George Oscar Bluth II]

Jesus Christ. I wasn't affected by this but I just had to change my mum's TransferWise password because it's on the list.

This service seems incredibly incompetent.

Oh dear. Cloudbleed is upon us.

The information leaked is... super troubling. Even changing passwords won't fix what happened here. Dammit.

Wait, so my mum's credit card info could have been floating around out there? FUCK. What do we do?

 

[Mindlog]

Oh dear. Cloudbleed is upon us.

The information leaked is... super troubling. Even changing passwords won't fix what happened here. Dammit.

Yeah, that.

 

[Elfforkusu]

Oh dear. Cloudbleed is upon us.

The information leaked is... super troubling. Even changing passwords won't fix what happened here. Dammit.

I think "bleed" undersells it. This was a mass broadcast of random private data.