Last week, the most significant internet leak of 2017, dubbed the ‘Cloudbleed’ (in reference to 2014’s ‘Heartbleed’), exposed users’ private information and log-in details for thousands of websites.
The leak was discovered on February 17 by security researchers on Google’s Project Zero bug-hunting team. The team shifts through publicly available website data to look for errors. Their team discovered a major flaw in the Cloudflare Internet infrastructure service that causes the leakage of private session keys and other sensitive information across websites hosted with Cloudflare.
In a nutshell, due to the error Cloudflare ran out of space on its servers, and started moving those files to other places. Google and other search engines automatically cached some of this exposed data. This included certain passwords, private messages, etc. from sites that use Cloudflare.
On Thursday, February 23, 2017, Cloudflare acknowledged the issue, and stated that the greatest period of impact was from February 13 and February 18 (although they also acknowledged it could have started as early as September 2016).
Are you affected?
The list of 4.2 million domains possibly affected includes some of the Internet’s most popular websites.
However, the real danger of Cloudbleed depends on whether or not the flaw was maliciously exploited before it was patched. If not, there’s a relatively small likelihood that anyone nefarious has your passwords. If so, there’s a significantly higher one.
Is SchedulePro affected?
SchedulePro accounts are not impacted by the Cloudbleed bug, as SchedulePro has never used Cloudflare as a service provider. In addition, SchedulePro uses additional layers of encryption to protect data. SchedulePro data is hosted in an SSAE 16 Type II environment and is transmitted using 256-bit AES Encryption.
What to do now?
Despite the severity of the Cloudbleed leak, most likely you are fine. Unless the data was intercepted by malicious third parties, there may be no further negative impact to users and their data. However, it is possible that some of your passwords and personal information from affected websites may still be at risk. Therefore, we strongly recommend that you immediately change the passwords for accounts that are most critical to you. Any password used for multiple sites is at the greatest risk of being stolen or exploited, so those are good ones to change, along with the ones you use to protect particularly high-value accounts like bank accounts or password managers. Ensure passwords are strong and unique.
Photo credit: Torkild Retvedt