Cloudflare — a widely used internet service provider — is reporting a security bug that has caused a data leak and a flood of potential security hassles for its corporate clients.
According to the most recent disclosures, the bug has been affecting the system since September 2015 and has been causing some of the company’s servers to leak private information like user passwords and authentication data.
The good news is the bug has been fixed — the bad news is that fix didn’t go in until last Friday. While active, the bug reportedly affected 1 out of every 3.3 million web requests processed by its network. That may not sound like too big a concern, but Cloudflare serves billions of pages per day — meaning leaky pages were popping up about 120K times per day. And those pages were automatically catalogued by search engines so the private information leaked out was available to see in cached page source code.
As of now, Cloudflare does not believe any of the data was put toward nefarious purposes.
“Although it is a very scary thing to have private information exposed like this, we think it’s unlikely that someone actually spotted it and did something bad with it,” John Graham-Cumming, Cloudflare’s chief technology officer, said in an interview.
However, the fact that something bad may not have happened does not change the fact that something fairly bad could have happened — and in fact did happen 120K times per day, but just didn’t happen to be noticed. Moreover, the failure points to the various crumple points existent in a cloud-based economy, where a single point of failure can net massive downstream chaos.
The attack on Dynamic Network Services Inc., or Dyn, last year saw a thousand websites down suddenly and totally unusable in the U.S. because Dyn is a service provider that speeds up the delivery of internet content.
The Cloudflare bug was spotted by a researcher at Alphabet Inc.’s Google a week ago. Google and other search-engine companies are now working with Cloudflare to scrub leaked data and current reports indicate most of it has been removed from the public view.
It is still unknown which companies, or how many, might have been affected. Cloudflare has over 5 million customers and only publishes only a partial list. But the list is noteworthy: online dating site OkCupid, and AgileBits Inc., maker of the 1Password security software, are both clients.
AgileBits CEO Jeffrey Shiner said 1Password users aren’t affected by the bug because the company uses multiple layers of encryption.
OkCupid, a unit of Match Group Inc. has thus far detected only “minimal, if any, exposure,” according to CEO Elie Seidman.
“If we determine any user was impacted, we will promptly notify them and assist in minimizing any potential risk,” he said.
Security experts are recomending that consumers use the recent leak as a good reason to update passwords, despite the fact that no malicious use of the data has been discovered thus far.
“If somebody found this vulnerability in advance and has been collecting data, then it’s a bigger deal,” noted Ryan Lackey, an entrepreneur and former Cloudflare security staffer.