Cloudflare, a prominent and common content delivery network, announced on Thursday, February 23, that it had accidentally leaked customers' sensitive information since last September.
Cloudflare is used to distribute web content on behalf of thousands of websites. To provide these services, Cloudflare is exposed to both incoming and outgoing internet traffic to these sites. This incident, due to a software bug at Cloudflare, exposed the content sent and received in transit, whether seemingly transmitted securely or otherwise. The leaked information was cached by search engines and includes passwords, private messages, API keys, and other sensitive data. Cloudflare announced that they worked with Google to remove all leaked data that was indexed, but they did not mention any other search engines.
For Cloudflare's incident report, see https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/.
For a list of possibly affected sites, see https://github.com/pirate/sites-using-cloudflare.
ACA Aponix recommends taking the following precautionary measures:
If you have any questions, please contact your ACA Aponix consultant or email us at email@example.com.