Justin Lee Tech 02.24.2017 11:Feb AM EST

CloudFlare Leaks Passwords And Messages From Dating Sites

Cloudflare, the company that offers SSL encryption to millions of sites worldwide has just announced the details regarding a new data leak. As per the post that the company has uploaded, they said that they have not identified any malicious usage of the leaked info yet. Nevertheless, Cloudflare also noted that an additional problem has been detected. Apparently, some of the data had already been cached by search engines

Cloudflare Dating Sites Data Leak 2017

The leak was initially detected by Google Project Zero's Tavis Ormandy last Feb. 18. However, as per The Verge's report, the problem might have already been in effect since Sept. 22 of last year. Cloudflare said that the biggest outpour of data started this Feb. 13, when a change in code meant one out of every 3,300,300 HTTP requests could have resulted to memory leakage. This figure is quite substantial for a network as big as Cloudflare.

Ormandy shared that he spotted hotel bookings, passwords and even full messages from dating sites within the cached data. The Project Zero worker then used Twitter to get the attention of Cloudflare who also quickly acknowledged the issue and immediately disabled three features that was using the broken code. The company then soon took the step of working with search engines to clear the data that have been cached.

Technicalities Of The Cloudflare Leak

This 2017 Cloudflare leak has received an unofficial title of "Cloudbleed" and as per the company, this issue was caused by coding mistakes. Cloudflare says that the bug had been in its code for the past years. However, it has never been uncovered until it switched from one parser to another. The move then subtly changed the buffering and ultimately caused the leak.

Effect Of The Cloudflare Leak

Cloudflare says that it took the company about seven hours to stem all the sources of the possible leaks. Ormandy also says that he was impressed with the company's quick response to the issue. Nevertheless, The Verge says that it is still a good idea and a safe step to change passwords, considering how intensely embedded Cloudflare is into the internet.