On February 23, 2017, content delivery network (“CDN”) provider Cloudflare disclosed a computer bug in its software that resulted in the leak of sensitive information from potentially thousands of websites over the course of five months, and some of the information has been found publicly available in search engine caches. While the overall likelihood that any single individual was significantly affected is low, the compromise of sensitive personal information or credentials that can be used to gain access to personal user accounts or corporate systems could result in substantial harm. Organizations should therefore determine whether and to what extent they (or their vendors) used Cloudflare services during the relevant timeframe, and if so, take measures to evaluate and address potential legal and contractual obligations, manage consumer concerns, and prevent future misuse of compromised information such as authentication credentials.
On February 23, 2017, a content delivery network (“CDN”) known as Cloudflare announced in a blog post that a bug in its code resulted in the leak of sensitive information from thousands of websites that used its services. The bug was initially discovered by a member of Google’s Project Zero bug-hunting team, who notified Cloudflare of the issue so it could fix it before the discovery was made public.
The type and scope of information that leaked includes user account credentials such as passwords and authentication tokens, as well as sensitive personal data such as private messages from dating websites, full messages from a popular chat service, hotel bookings, user IP addresses, and cookies. At least some of the leaked data was subsequently cached by search engines like Google and Yahoo, as well as other web scrapers, and it remains at risk unless and until the data is purged from those systems.
There are two reasons why this leak has received a lot of media attention and could potentially have a high impact. First, Cloudflare acknowledged that the bug may have resulted in the exposure of customer data for a nearly five-month period – since September 22. Second, any leaked information that was cached by search engines such as Google became publicly searchable.
Cloudflare has not publicized a full list of companies affected, but security researchers have found data from a number of popular websites in search engine caches. An unofficial listing of potentially affected sites exceeds 4 million.
Cloudflare reported that the most extreme leaks took place between February 13 and 18, but even then, the bug affected at most one in every 3.3 million webpage requests. Cloudflare also noted that it has discovered no evidence of “malicious exploits of the bug or other reports of its existence.” Nevertheless, uncertainties regarding the scope and sensitivity of leaked information make assessing the risk posed by the bug to any specific organization difficult. While the overall likelihood that any single individual was affected is low, the compromise of sensitive personal information or credentials that can be used to gain access to personal user accounts or corporate systems could potentially result in substantial harm.
Organizations should determine whether and to what extent they used Cloudflare services during the relevant timeframe, and if so, take measures to evaluate and address potential risks, such as:
- Assess whether potentially leaked data included Personally-Identifiable Information (PII) or other sensitive information that may trigger legal or contractual breach notification obligations
- Assess whether potentially leaked passwords, tokens, or other authentication credentials could result in the compromise of user accounts, data systems or IoT devices, in which case resets or revocation of access rights may be necessary – some online operators are wiping their sites’ cookies and security certificates
- Assess whether the organization’s vendors or service providers may have been impacted by the incident and, by extension, present any risks to the organization’s assets or information
- Prepare communications to the organization’s users or customers regarding the potential impact of the Cloudflare incident, if any, and steps being taken to remediate that impact
- Consider whether incident response plans and personnel were sufficiently equipped to address this type of incident, and if not, consider improving practices to meet this and other evolving risk vectors