PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Cloudflare Leak Exposed Data From Millions of Websites

Cloudflare says it patched a bug that could compromise user accounts at popular websites.

Tom Brant
 & Tom Brant Managing Editor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Web services company Cloudflare recently patched a bug that could have exposed a broad range of customer data like passwords, chat transcripts, and other information stored by millions of websites.

SecurityWatchThe bug, discovered by Google security researcher Tavis Ormandy, allowed sensitive data from Cloudflare-powered websites to be cached by search engines, including Google.

"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," Ormandy wrote in a Feb. 19 blog post. "We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

Cloudflare powers many popular websites, including Uber, Fitbit, and OkCupid, Forbes reports. But Cloudflare downplayed the bug's impact on consumers, explaining in a statement that it had not discovered any evidence of malicious exploits.

"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that's about 0.00003% of requests)," the company said.

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

Cloudflare client and password management company 1Password reassured its users that the bug did not put any of their data at risk. "At the moment, we want to assure and remind everyone that we designed 1Password with the expectation that SSL/TLS can fail," the company said in a statement. "Indeed it is for incidents like this that we deliberately made this design."

Some Uber session tokens were leaked, Forbes reports, which could have compromised some Uber accounts, but the company said those tokens have now been changed and no user passwords were leaked.

Still, given the potential scope of the vulnerability and the fact that the data could be cached by search engines, experts warned that sensitive data could be strewn about many corners of the web. Security researcher Ryan Lackey said the bug is a good reminder to do what you should be doing regularly anyway: change all of your passwords.

"Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations," Lackey wrote in a blog post. "From an individual perspective, this is straightforward—the most effective mitigation is to change your passwords."

About Our Expert

Tom Brant

Tom Brant

Managing Editor

I’m a managing editor at PCMag.com focused on PC hardware. Reading this during the day? Then you've caught me testing gear and editing reviews of Wi-Fi routers, printers, laptops, and tons of other personal tech. (Reading this at night? Then I’m probably dreaming about all those cool products.) I’ve covered the consumer tech world as an editor, reporter, and analyst since 2015.

I've covered most major consumer tech events, including CES, Computex, Google I/O, and IFA. I've also appeared on CBS News, in USA Today, and at many other outlets to offer analysis on breaking technology news.

Before I joined the tech-journalism ranks, I wrote on topics as diverse as Borneo's rainforests, Middle Eastern airlines, and Big Data's role in presidential elections. A graduate of Middlebury College, I also have a master's degree in journalism and French Studies from New York University.

The Technology I Use

While most people buy a phone or laptop and stick with it for years, I’m lucky enough to use devices based on Android, iOS, macOS, and Windows daily as part of my job. As a result, I cycle through lots of tech in addition to my IT-issue work laptop. (Yes, that's a ThinkPad.) Personally, I’ve also owned a lot of tech products both cutting-edge and cringeworthy, from the Nintendo GameCube and the original MacBook to the Palm m105 and the CueCat.

Read the latest from Tom Brant

Read full bio