What do I do then?
Everyone, no matter how secure their shit was is fucked, right?
Cloudfare service used by 5.5 million sites may have leaked passwords and auth.tokens
- Thread starter Mr.Shrugglesã
- Start date
- Status
What do I do then?
Everyone, no matter how secure their shit was is fucked, right?
TheAbsolution
Member
Cloudfare is done, right? Nobody should ever trust this company ever again.
It seems like Greenmangaming.com uses cloudflare ...
Lord Frieza
Member
The only website I'm finding so far that I use with Cloudfire is reddit, so I went ahead and changed it. Had no personal info there and a unique password so I think I lucked out
darkistheway
Member
Probably explains why someone in Munich used my password this morning. Google denied them and I had to reset everything. Turned on 2FA. Going to start systematically changing passwords every so often. Way too many breaches happening to feel secure.
George Oscar Bluth II
Banned
Found out my mum hadn't used TransferWise since July 2016. Does that mean we're "safe"?
Lord Frieza
Member
It's already been said that Google doesn't use this I believe
ROFL.
darkistheway
Member
Yeah I see that now. Just a coincidence, I guess. I have no idea how my password got out there.
Lord Frieza
Member
Ah shit, I found one that affected me. Apparently Sling TV has been affected, if you subscribe you need to change your stuff
.Detective.
Member
Question for clarity, in the link provided with the sites, I found only 3 that I have visited in the timeframe of the Cloudflare leak issue. However I don't have accounts on those specific sites at all, as I just browse them.
Am I assume that I need to still change passwords for any regular site I browse with an account not listed in any of the cloudflare site lists provided within this thread, on the off chance that the affected Cloudflare used site, may have sent an information data request to a non-affected site where I do have a login account?
Am I assume that I need to still change passwords for any regular site I browse with an account not listed in any of the cloudflare site lists provided within this thread, on the off chance that the affected Cloudflare used site, may have sent an information data request to a non-affected site where I do have a login account?
OdysseusVA
Banned
I dont use any of those sites
Crimsonclaw111
Member
Lastpass is all you need
firehawk12
Subete no aware
That's one thing I'm not sure about. I use Google to log into Medium, so I'm not sure if my Google account may have been compromised by Google exchanging information with Medium to log me in.
I'm going to assume if you just browsed a site and did not exchange any secure information, then you should be fine?
Japanmanx3
Member
9 potentials for me...oof...
Yes, tried to quickly delete my accounts on a few sites. Seems to be impossible. Didn't find how to delete them.
The only password manager I need is a notebook.
Daffy Duck
Member
I believe cdkeys.com use it too.
Hidden One
Member
Damn I use 3 of those and I don't even wanna know what the full list of sites are...Ugh I don't want to have to go through changing everything
edit: Actually is there a full list of sites that have been compromised?
GHG
Member
Damn I use 3 of those and I don't even wanna know what the full list of sites are...Ugh I don't want to have to go through changing everything
edit: Actually is there a full list of sites that have been compromised?
Here:
https://github.com/pirate/sites-using-cloudflare
It's in the OP as well.
Just change everything.
Hidden One
Member
texhnolyze
Banned
Fiverr is affected. Oh shit.
Stumpokapow
listen to the mad man
This really should not be ruining your weekend. It is a configuration induced security vulnerability, not a hack. There is no evidence anyone exploited it, and while the scope has the potential to be quite large, we know very little about whose information has been exposed, and what of that information is available. This is not like a site-wide hack where the best thing to do is immediately move to reset your password. That Github list strikes me as totally irresponsible, just listing any site that used Cloudflare, with no details about whether it used the affected features, what kind of session data was being sent on the site, etc. If it makes you feel more comfortable, update a password, but I think the vast majority of people could stand to wait for a few days, find out the scope and recommendations that come as a result, and then acting in due time.
GHG
Member
Other notable sites that gaffers might frequent:
Nexusmods.com
Moddb.com
For London GAF:
Tfl.gov.uk
Ok thanks, seeing this upon recently waking up is quite unsettling. I will stop panicking.
Nexusmods.com
Moddb.com
For London GAF:
Tfl.gov.uk
Ok thanks, seeing this upon recently waking up is quite unsettling. I will stop panicking.
for now
George Oscar Bluth II
Banned
I tend to panic at this sort of stuff but this post reassured me.
Subway Diet
Member
So, I'm guessing the best we can do is sit back and hope that the situation doesn't blow all the way up?
While we're taking password managers. I've been using Dashlane for the last year and a bit. They're reputable, right?
While we're taking password managers. I've been using Dashlane for the last year and a bit. They're reputable, right?
Lilalaunebaer
Member
Well, i´ve been changing passwords for the last half hour at work.
Crunchyrool
patreon
Greenmangaming + Steam since i linked it with it
Humblebundle
paypal because i payed with paypal on those sites
reddit
Fuck me, and give that man more than a t-shirt lmao
Crunchyrool
patreon
Greenmangaming + Steam since i linked it with it
Humblebundle
paypal because i payed with paypal on those sites
Fuck me, and give that man more than a t-shirt lmao
Good advice to go by.
I try to keep my online presence as simple as possible. No linking between accounts, different passwords for each site, and a bare minimum presence.
firehawk12
Subete no aware
Probably just a coincidence but Reddit is making me reset my password... and of course the password emailer thing seems to be borked.
Didn't even know cloudfare supplied these services always though of them as just DDos migration.
Ha I had a strong feeling it would was going to be Tavis that discovered this. Guy has been doing some great work.
Kaleinc
Banned
It would be funny if mastodons like google used punk ass anti ddos solutions.
Hmm? Their write-up was rather thorough and open. Also mitigation and fix time was quite expeditious. Engineering is hard.
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Helensmith
Member
Sorry for a dumb question... What if the password managers get hacked one day? Aren't they the holy grail and more likely to be attempted?
I suooose it's still better to have to change passwords once if that ever happens, rather than multiple random times as one site gets hacked?
I suooose it's still better to have to change passwords once if that ever happens, rather than multiple random times as one site gets hacked?
God damn
Quick Mustard
Member
So, for those of us who have been signed out on devices which use our google accounts, if they're not affected by this, why have we been signed out? Or have I missed something when reading this thread?
FantasticMrFoxdie
Mumber
Hoolly fucking shiiit thats insane
edit: ahh hopefully they were the first to actually catch this and plug this accordingly
edit: ahh hopefully they were the first to actually catch this and plug this accordingly
that apparently could do with Google changing something with 2FA on their end yesterday. Not sure though.
AHA-Lambda
Member
Is this why I got randomly kicked off my YouTube account on iOS last night?
So basically this is "reset all passwords" time right?
So basically this is "reset all passwords" time right?
The Google-signout seems to be unrelated to the Cloudflare issue (so far).
Quick Mustard
Member
- Status