Here’s everything you need to know about the #Cloudbleed data leak:

CloudFlare data leak

What is Cloudflare?

Cloudflare is a popular content delivery network and according to their site, “provides performance and security”, including DDoS protection for millions of websites, including Medium, Feedly, FitBit, TransferWise, Zendesk, OK Cupid and more.

What is Cloudbleed?

Cloudflare, which is used by more than 5.5 million websites, accidentally leaked mass amounts of sensitive user information from those sites, including passwords, private messages, hotel bookings, and more between September 2016 and February 18th of this year. The leak has been dubbed ‘Cloudbleed’.

Security researcher, Tavis Ormandy, identified the vulnerability, which is the result of a software bug in their code, known technically as a buffer overrun. According to a blog post from Cloudflare, “our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data” and that they have not found “any evidence of malicious exploits of the bug or other reports of its existence.”

Image credit: Cloudflare / Gizmodo

Which websites were affected?

Cloudflare has not formally released a list of affected websites. However, a Github account has an unofficial list of 4,287,625 possibly-affected domains (and counting) that use Cloudflare DNS, not just the Cloudflare proxy that was primarily affected. Some of the major, notable sites include:

  • Uber.com
  • Fitbit.com
  • Yelp.com
  • Okcupid.com
  • Change.org
  • Zendesk.com
  • Medium.com
  • Patreon.com
  • Jquery.com
  • Glassdoor.com

To view the full list, go here: https://github.com/PIRATE/SITES-USING-CLOUDFLARE

Is Dashlane affected?

After further investigation from our Security Team, we’ve confirmed that Dashlane’s password manager is not affected by this data leak:

    • Your Dashlane account is not impacted by the Cloudbleed bug as Dashlane has never used Cloudflare as a service provider, but also because we add additional layers of encryption to protect your data.
    • Your Master Password is safe and does not need to be changed, as it is never transmitted.
    • Your personal data, when transmitted, is always ciphered locally with AES-256, which is not affected by the Cloudbleed vulnerability.
    • In cases of data leaks or hacks, you can rest assured that Dashlane will notify users of compromised accounts via in-app Security Alerts. You can learn more about Dashlane Patented Security Architecture, and for technical details on how Dashlane handles HTTPS communications, please read our updated Security Whitepaper.

What should I do to protect my accounts?

Dashlane’s Security Team and other industry security researchers say the most effective thing you can do is to update your passwords as soon as possible. We strongly encourage you to use strong, unique passwords on each and every one of your accounts to prevent a hacker from access multiple accounts if one is compromised. Our Password Generator and Password Changer tools to help you quickly create complex, unique passwords for all of your accounts.

Experts also recommend resetting two-factor authentication tokens for accounts where it’s enabled, since 2FA codes may have been compromised. If you haven’t enabled 2FA yet, make sure you do so for all of your accounts whenever it’s available.

Updating your passwords may seem like a mountain of a task, but the costs of not doing so leave much more at stake and we’re here to help you make password security simple and your new top priority.


For additional information to help you protect your online accounts, check out these other resources on our blog:
What you should know about Dashlane’s Patented Security Architecture
Improve your overall password security strength in 5 easy steps
How to make strong passwords even stronger–the easy way
5 Quick Tricks to Improve Your Online Security in 5 Minutes