If you manage your own website or host of websites, you’ve probably heard of the Cloudflare leak and how devastating it was for internet security. Yet even if you fear your data maybe expose, all is not lost. There are ways to secure your data once more and prevent another breach.
Just What Is Cloudflare?
Cloudflare is a service that improves site speed, security, and performance by acting as a reverse proxy to over 4 million websites to ensure you. The person browsing the site is a real human and not a bot or a DDOS attack. Cloudflare’s servers offer redundancy to ensure failover in the event of a server going down. It ensures always-on access. Also, better site security through prevention of Distributed Denial of Service attacks. Ideally, Cloudflare should make your site more secure, not less secure.
Then, Just What Happened With the Leak, and What Is the meaning of Cloudbleed?
The Cloudflare leak happened when a bug in Cloudflare’s platform caused information to “bleed” in certain circumstances. The bug was in the HTML parser and led to the term “Cloudbleed” in reference to the earlier Heartbleed bug that previously hit the internet. This bug caused a problem when Cloudflare tried to parse old code plus cf-HTML source code into Cloudflare software, leading to a buffer overrun vulnerability. The culprit? One character – a “==” that should have been a “>=.” This caused Cloudflare’s data storage for specific websites to fill up rather quickly, resulting in a rollover to store the data on other websites and leading to a leak. A single typo led to pages upon pages of data exposure.
What Kind of Data Leaked?
Anything that passed through the supposedly secure HTML parser at the time the bug was active. Emails, usernames, passwords, OAuth tokens, personal messages. The leak wasn’t always active, but when it was, they could index and search by Google the data made available. In fact, over 700 pages of accumulated data were available for Google search, much of it sensitive and private. Stumbling on it was a matter of knowing the right search terms or pure accident, but still exposed many unwitting users to a serious breach of internet privacy.
While much of the data was random and could even be harmless, one of the leaks released one of Cloudflare’s own private keys into the wild. With that private key, a smart hacker could gain access to a good deal of private data from within Cloudflare’s own servers.
What Are the First Steps If I Suspect I’ve Breached?
There’s really no way to tell that you’ve breached because of the varied and patchwork nature of the data. Unless someone somehow accessed private information about you. They used it to commit acts that would set up fraud or identity theft alerts. For the most part, though, finding your own data in the breach and concretely identifying it as yours is borderline impossible. You would have to know the specific information leaked and search for it by phrasing.
However, there are a few precautions you can take to ensure that they can’t use any data accessed by others against you, including:
Changing your passwords
All of them. Yes, all of them. You should be doing this periodically anyway. It’s daunting to have to manage passwords for so many sites that we use on a daily basis, but technology like LastPass can make it easier. Be careful not to use the same password on every site, or reuse old passwords.
Use your own proxy
Tor and other proxies let you anonymize your browsing experience to use to prevent transmission of sensitive data to construct a profile of your identity.
Make effective use of two-factor authentication
This often uses tokens sent to your email or phone to confirm that when you logged in on a specific site, it was actually you.
What If I’m a Hosted Website Affected by the Cloudflare Leak?
Technically, your website itself wasn’t affected by the Cloudbleed leak. Instead, your users’ data capture and passes it between Cloudflare and your site. While your site architecture and integrity may be technically secure, your data is still compromised even in fragmented ways. You should take steps such as:
Emailing your users
Be transparent with them about the effects of the Cloudflare leak and how it happened. Don’t spend too much time pointing fingers at Cloudflare, as it may raise doubts if you continue to use Cloudflare for reverse proxy services. Instead, assure them of the security of your website, and all they need to do to secure their data once more is change their passwords.
Make password changes mandatory
When users next log in, require them to change their passwords with an announcement about the Cloudflare Leak.
Strengthen password requirements
Implement higher required levels of difficulty, such as including a symbol or beginning with a number. Encourage users to use longer passwords that aren’t derived from any dictionary words.
Implement two-factor authentication
Give users the option to secure their data and accounts further through this security method.
Investigate better encryption methods
Even if your server-side encryption may not help if there’s another Cloudflare leak in the link between the end user and your server. Stronger encryption can make your users feel more secure. It protects their data from malicious hackers who may try to make use of the data leaked during the breach.
How Many People Were Affected by the Cloudflare Leak?
Supposedly, over 1.2 million leaks took place before they identifying and remediating the bug. If each of those leaks is an individual user and not a repeat visitor, then that amounts to an equivalent of a third of the population of the United States.
What Major Websites Were Affected by Cloudbleed?
Affected websites were over 6,457, many of them you’ve likely never heard of; Cloudflare provides services to both large and small hosted sites. Some of the major ones, though, were dating site OkCupid, ride service Uber, and health and activity tracker Fitbit. In truth, the list of Cloudflare websites is so massive. It’s safer to assume that any website you use that utilizes Cloudflare’s proxy and/or DNS was compromised.
How Did CloudFlare Address the Leak?
The first step was to purge over 80,000 cached pages from search engines, including Yahoo, Google, and Bing. Many of the leaks included cookie data, and that data could be used to access a user’s account on a specific site. Of course, Cloudflare also immediately addressed the bad HTML parser code that led to the bug, implementing a fix to patch the issue – but not before months of massive data leakage.
Then How Bad Was Cloudbleed, Really?
It could have been a lot worse. Luckily, Google researcher, Tavis Ormandy discovered it and not by a malicious attacker. Also, the leak of the random nature of the data means much and was not actually sensitive, with only perhaps approximately 12,000 estimated users having sensitive data exposed. None of that data appears to be encryption keys, credit card information, or passwords. As of yet, no known attacks have taken place using the data leaked in the breach.
What Should I Do If My Site Is Ever Hit by a Data Breach?
The first and best way to prevent further breaches is to shut everything down. It’s better to take your website offline than have it online, accessible, and vulnerable to potential attackers. Next, bring it back up in a sandbox environment. Run every diagnostic and test you can to determine the source of the breach and remedy it with better security and patches. You should also investigate exactly what kind of data they compromise. The effect that compromise will have on you and your users.
The next step is to inform your users. They have a right to know their compromised data. Take steps to either close their accounts or change their passwords. Offer the option to purge their data. Attackers may have only gotten a partial cross-section of user data. This is enough to allow them to access additional information if left in your repositories. Be completely transparent to take the steps. Advise your users on what they can do to protect themselves. This includes setting up fraud alerts and identity theft watches with credit bureaus.
But What If Disclosing Loses Customers?
You’ll lose more than customers if you fail to disclose a data breach. You’ll lose trust, which can negatively affect your reputation for the life of your company. This can also turn away new customers who might otherwise have trusted you. Give your users clear and useful information with no omissions or back-pedaling. Explain what happened, and make it clear that their trust matters to you. And that you’re doing everything you can to remediate the situation. Assure them that they can take precautions. Take every precaution of your own before bringing your website back online and opening it to your users once more.