Everything You Need to Know about Cloudbleed and How to Keep Your Accounts Safe

Here’s everything you need to know about the #Cloudbleed data leak:

CloudFlare data leak

What is Cloudflare?

Cloudflare is a popular content delivery network and according to their site, “provides performance and security”, including DDoS protection for millions of websites, including Medium, Feedly, FitBit, TransferWise, Zendesk, OK Cupid and more.

What is Cloudbleed?

Cloudflare, which is used by more than 5.5 million websites, accidentally leaked mass amounts of sensitive user information from those sites, including passwords, private messages, hotel bookings, and more between September 2016 and February 18th of this year. The leak has been dubbed ‘Cloudbleed’.

Security researcher, Tavis Ormandy, identified the vulnerability, which is the result of a software bug in their code, known technically as a buffer overrun. According to a blog post from Cloudflare, “our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data” and that they have not found “any evidence of malicious exploits of the bug or other reports of its existence.”

Image credit: Cloudflare / Gizmodo

Which websites were affected?

Cloudflare has not formally released a list of affected websites. However, a Github account has an unofficial list of 4,287,625 possibly-affected domains (and counting) that use Cloudflare DNS, not just the Cloudflare proxy that was primarily affected. Some of the major, notable sites include:

  • Uber.com
  • Fitbit.com
  • Yelp.com
  • Okcupid.com
  • Change.org
  • Zendesk.com
  • Medium.com
  • Patreon.com
  • Jquery.com
  • Glassdoor.com

To view the full list, go here: https://github.com/PIRATE/SITES-USING-CLOUDFLARE

Is Dashlane affected?

After further investigation from our Security Team, we’ve confirmed that Dashlane’s password manager is not affected by this data leak:

    • Your Dashlane account is not impacted by the Cloudbleed bug as Dashlane has never used Cloudflare as a service provider, but also because we add additional layers of encryption to protect your data.
    • Your Master Password is safe and does not need to be changed, as it is never transmitted.
    • Your personal data, when transmitted, is always ciphered locally with AES-256, which is not affected by the Cloudbleed vulnerability.
    • In cases of data leaks or hacks, you can rest assured that Dashlane will notify users of compromised accounts via in-app Security Alerts. You can learn more about Dashlane Patented Security Architecture, and for technical details on how Dashlane handles HTTPS communications, please read our updated Security Whitepaper.

What should I do to protect my accounts?

Dashlane’s Security Team and other industry security researchers say the most effective thing you can do is to update your passwords as soon as possible. We strongly encourage you to use strong, unique passwords on each and every one of your accounts to prevent a hacker from access multiple accounts if one is compromised. Our Password Generator and Password Changer tools to help you quickly create complex, unique passwords for all of your accounts.

Experts also recommend resetting two-factor authentication tokens for accounts where it’s enabled, since 2FA codes may have been compromised. If you haven’t enabled 2FA yet, make sure you do so for all of your accounts whenever it’s available.

Updating your passwords may seem like a mountain of a task, but the costs of not doing so leave much more at stake and we’re here to help you make password security simple and your new top priority.


For additional information to help you protect your online accounts, check out these other resources on our blog:
What you should know about Dashlane’s Patented Security Architecture
Improve your overall password security strength in 5 easy steps
How to make strong passwords even stronger–the easy way
5 Quick Tricks to Improve Your Online Security in 5 Minutes

 

 

 

  • Florian

    Just an idea: why couldn’t you (Dashlane) provide us (your customers / users) with a SW update in which you provide a locally executed scan of the websites for which passwords are stored in my local database comparing them with the affected websites. Matches could be highlighted and I could then renew the passwords of the affected sites (only). Refreshing all passwords just because of the alter would be pretty time consuming.

    • Hey Florian!

      That’s a really great idea! We really appreciate your feedback on this too. Since this case involved millions of potential affected websites, we didn’t want users to receive dozens, or even hundreds of in-app alerts.

      But we are constantly improving our processes and we’ve already started to make some improvements that will enable the kind of communication you suggested in this kind of unique situation.

      Thanks for letting us know this is important to you! I’ll submit this as a Feature Request and I’ll work with our Development team on these improvements.

      Kind regards,

      Malaika

      • Florian

        Hey Malaika,

        Great. You got my point. I prefer to get many alerts in a similar fashion as the security dashboard which I then can decide what I will do about them. Instead of going through all of my passwords as basically I would have to assume that they all have been breached (fair assumption with > 4,287,625 possibly-affected domains)…..

        Best regards,

        Florian

        • Kikkit Brennan

          Exactly

        • JBinTX_2013

          Same here. I prefer to receive many alerts instead of going through and changing all my passwords. Great idea, Florian. Thanks for passing this along to Dashlane.

      • Kikkit Brennan

        Please do. Feature Request sound perfect.

        • Already done! Thanks for letting me know you’re interested!

  • Hampershill

    70 year old Granny. Sure I know what the heck you are talking about! English please. i haven’t a clue.

    • davhill

      Ok, Granny, let’s try this —
      A place that handles a lot of internet data had some buckets that got too full, and they didn’t close down the faucet and they weren’t catching what overflowed. Some of your account#s and passwords might be in the stuff that spilled. They don’t KNOW that anyone found or used the spillage, but its possible. Dashlane (which is like a little black book where you write down your account#s) wasn’t affected, so nobody can read your black book, but some of the banks or stores or websites where you do business on the internet might be compromised. So its prudent to change your passwords. That’s all. The rest is technical gabble.

      • Florian

        Hey davhill,
        Perfect wording. LOL! You displayed a wonderful competence 🙂

        • davhill

          I appreciate that, Florian, but I’ll wait for Granny Hampershill to say it makes sense to her!

      • JBinTX_2013

        It made sense to me as well and even though I’m not quite 70, I’m quite technically challenged sometimes. Thanks so much for this simple and easy to understand explanation.

    • Kikkit Brennan

      LOL. Yeah, give us some reassurance I’m plain old Granny English. Thank you

  • Perhaps to put some context on this Cloudbleed issue, it’s best to go to Cloudflare blog article “Incident report on memory leak caused by Cloudflare parser bug” for information.

    The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

    We are grateful that it was found by one of the world’s top security research teams and reported to us.

    Granted, if your data is part of the 0.00003%, it’s horrible. But it isn’t as though everything was leaked.

    • You might also wish to read ZDNet’s article “‘Cloudbleed’ post-mortem points to huge data leak, but no evidence of exploitation.”

      Prince (Cloudflare’s chief executive) confirmed in the blog post that 1.2 million requests were at risk of being leaked since the bug was inadvertently introduced in late-September until February 13 when the bug was fixed.

      He also said, despite Ormandy’s claim, that there were no credit cards or bitcoin addresses found in the leaked data, no health records or social security numbers, and no customer passwords.