Cloudflare, a prominent and common content delivery network, announced on Thursday, February 23, that it had accidentally leaked customers' sensitive information since last September.
Cloudflare is used to distribute web content on behalf of thousands of websites. To provide these services, Cloudflare is exposed to both incoming and outgoing internet traffic to these sites. This incident, due to a software bug at Cloudflare, exposed the content sent and received in transit, whether seemingly transmitted securely or otherwise. The leaked information was cached by search engines and includes passwords, private messages, API keys, and other sensitive data. Cloudflare announced that they worked with Google to remove all leaked data that was indexed, but they did not mention any other search engines.
For Cloudflare's incident report, see https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/.
For a list of possibly affected sites, see https://github.com/pirate/sites-using-cloudflare.
ACA Aponix Guidance
ACA Aponix recommends taking the following precautionary measures:
- Do not use the "remember this device" option on websites, as cookies associated with this feature can be exposed. For sites where this option was enabled, passwords should be rotated, as multi-factor authentication (MFA) could be bypassed if cookies were exposed in this breach.
- Enable MFA on all sites requiring a login, if possible. Ensure that credentials are rotated on sites that do not require MFA.
- If you use Cloudflare for content delivery, speak with your Cloudflare representative about the potential impact to your content, including remediation steps.
- Ensure that any API sessions against Cloudflare-hosted sites are IP-whitelisted, and rotate tokens.
- Periodically check for your sensitive data with an internet footprint analysis, and request removal if data is found, as sensitive data could remain in caches and search engines.
If you have any questions, please contact your ACA Aponix consultant or email us at email@example.com.