The Cloudbleed bug is the latest bug to have hit the Internet. According to estimates it may have exposed millions of usernames and passwords from various websites. Its name comes from the hacking of a web services company called Cloudfare that is used by many major websites. An analyst at Google’s Project Zero, Tavis Ormandy, noticed a bug, or a piece of code in the Cloudfare software that occasionally allows Google to crawl and index personal data.
Cloudfare in this blog post, downplays the leak which happened between September 22, 2016 and February 18, 2017. Gizmodo, on the other hand, advises you to change your password immediately because nearly 4.3 million domains might be affected.
This Wired post has a weird explanation of what Cloudflare does with the massive amount of data it has from its 6 million customers:
In certain conditions, Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid—onto the website of a smaller subset of customers. In practice, it meant that a snippet of information about an Uber ride you took, or even your Uber password, could have ended up hidden away in the code of another site.
For the most part, the exposed data wasn’t posted on well-known or high-traffic sites, and even if it had been it wasn’t easily visible. But some of the leaked data included sensitive cookies, login credentials, API keys, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys. And as Cloudflare’s service spewed random information, that data was being recorded in caches by search engines like Google and Bing and other systems.
How bad is the damage? It depends on serendipity, actually. Cloudflare explains that the data could have been leaked through only a certain number of websites having a particular HTML code – in total almost 3000 websites – that could trigger the Cloudbleed bug. The company is aware of 150 customers whose data has been negatively affected.
Although the odds of some hacker getting hold of your data are very low, almost every data security expert and tech analyst is advising you to change your password as soon as possible.