vlog

NOWCAST vlog News at 10pm Sunday Night
Watch on Demand
Advertisement

Were you affected by the Cloudflare leak? Here's how to protect yourself

Cloudflare is used by millions of US businesses like Fitbit, Uber and OkCupid
Abigail Elise
National Curator
Were you affected by the Cloudflare leak? Here's how to protect yourself

Cloudflare is used by millions of US businesses like Fitbit, Uber and OkCupid

WEBVTT ADRIENNE PEDERSEN JOINS US LIVEFROM THE WEB CENTER.ADRIENNE, HOW DO WE KNOW IF OURINFORMATION IS COMPROMISED?ADRIENNE: UNFORTUNATELY THERE'SNO WAY TO KNOW IF OUR PASSWORDSARE NOW IN THE WRONG HANDS.WITH MILLIONS OF COMPANIES,EVERYTHING FROM BANKS TO DATINGSITES POTENTIALLY HIT CYBER, A SECURITY EXPERT SAYS IT'SBETTER TO BE SAFE THAN SORRY.>> YOU DON'T KNOW IF YOU ARE THENEEDLE IN THAT HAYSTACK OR NOT,RIGHT?ADRIENNE: CLOUDBLEED IS THELATEST THREAT TO OUR ONLINESECURITY.A SYSTEM CALLED CLOUDFLARE THATMORE THAN 5 MILLION WEBSITES USETO KEEP THEM SECURE ACCIDENTALLYSPILLED INFORMATION LIKE PRIVATEMESSAGES FROM DATING SITES,PASSWORDS, AND HOTEL BOOKINGS.>> THAT IS PRETTY SCARY, YEAH.HOPE IT WAS NOT ME.ADRIENNE: WE DON'T KNOW IF WEARE AFFECTED BY THIS, SO DO WENEED TO CHANGE OUR PASSWORDS?>> IT IS BETTER TO BE SAFE THANSORRY.ADRIENNE THOMAS KACZMAREK, ACYBER SECURITY EXPERT ATMARQUETTE, SAYS CHANGE YOURPASSWORD NOW.AND MAKE IT LONG.HE ALSO RECOMMENDS NOT USING THESAME PASSWORD FOR SEVERAL SITESWHICH MEANS MORE WORKREMEMBERING THOSE DOZENS OFPASSWORDS.>> HOW OFTEN DO YOU CHANGE YOURPASSWORDS?>> NOT OFTEN.I WOULD DO THAT WHEN I GET HOME.ADRIENNE: I THINK A LOT OF USWILL BE.A SO-CALLED BUG SPOTTER NAMEDTRAVIS ORMANDY FOUND THE GLITCH, WHICH IS NOW FIXED.HE'S ONE OF THE GOOD GUYS.BUT WE DON'T KNOW IF A MALICIOUSHACKER FOUND IT FIRST AND STOLE
Advertisement
Were you affected by the Cloudflare leak? Here's how to protect yourself

Cloudflare is used by millions of US businesses like Fitbit, Uber and OkCupid
Abigail Elise
National Curator
On Thursday, San Francisco-based online security service Cloudflare reported a flaw in its online servers. The incident, dubbed Cloudbleed, spilled private user data onto the (very public) web, where the information was crawled and cached by search engines like Google and Yahoo. Why should you be concerned? Cloudflare is a content delivery network (CDN) used by around 5.5 million websites, including Uber, OkCupid and Fitbit. That means personal data like passwords or private messages were indexed by web crawlers for at least a week before the patch was repaired. For a more in-depth look at how Cloudflare works, click here. The bug was first spotted by Google Vulnerability Researcher Travis Ormandy earlier this month. "I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," Ormandy said Feb. 19. "We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything." The leak was undoubtedly active from Feb. 13-19, but may date back to September, according to Cloudflare CTO John Graham-Cumming on Thursday. Graham-Cumming doesn't believe the bug was executed with malicious intent, but some online security experts aren't so sure. "I don't believe that we can be absolutely certain that the CloudFlare memory leak wasn't the result of an exploit of their code," cybersecurity consultant Kenneth Holley told us Sunday. Holley co-founded Shield Logic, a Washington, D.C.-based cybersecurity firm that provides web protection for federal, state and local US governments. He is also the CEO of 23-year-old company Information Systems Integration. "The biggest concern revolving around search engines - both domestic and abroad - is the amount of leaked password data scraped, possibly by criminal types, before scrubbing efforts began, and how long the CloudFlare leak existed prior to being discovered," Holley said. "Unfortunately software will, as long as humans are designing and writing it, be prone to bugs. In this particular case, we have to wonder why, exactly, this went on for so long and how that speaks to CloudFlare's overall carelessness." This isn't the first time CloudFlare has found itself embroiled in scandal. The service was accused of protecting three popular ISIS forums in 2015. It was also once utilized by Rescator, a site that sells stolen credit card numbers. "This CloudFlare incident should serve as an enormous wake-up call for everyone," Holley said. "Password changes and using multi-factor authentication, where available, should happen immediately."
SAN FRANCISCO, Calif. —

On Thursday, San Francisco-based online security service a flaw in its online servers. The incident, dubbed Cloudbleed, spilled private user data onto the (very public) web, where the information was crawled and cached by search engines like Google and Yahoo.

Why should you be concerned?

Advertisement

Related Content

Cloudflare is a content delivery network (CDN) used by around 5.5 million websites, including Uber, OkCupid and Fitbit.

That means personal data like passwords or private messages were indexed by web crawlers for at least a week before the patch was repaired. For a more in-depth look at how Cloudflare works, .

The bug was first spotted by Google Vulnerability Researcher earlier this month.

"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," "We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

The leak was undoubtedly active from Feb. 13-19, but may date back to September, John Graham-Cumming on Thursday.

Graham-Cumming doesn't believe the bug was executed with malicious intent, but some online security experts aren't so sure.

"I don't believe that we can be absolutely certain that the CloudFlare memory leak wasn't the result of an exploit of their code," cybersecurity told us Sunday.

Holley co-founded , a Washington, D.C.-based cybersecurity firm that provides web protection for federal, state and local US governments. He is also the CEO of 23-year-old company .

"The biggest concern revolving around search engines - both domestic and abroad - is the amount of leaked password data scraped, possibly by criminal types, before scrubbing efforts began, and how long the CloudFlare leak existed prior to being discovered," Holley said. "Unfortunately software will, as long as humans are designing and writing it, be prone to bugs. In this particular case, we have to wonder why, exactly, this went on for so long and how that speaks to CloudFlare's overall carelessness."

This isn't the first time CloudFlare has found itself embroiled in scandal. The service was three popular ISIS forums in 2015. It was also once utilized , a site that sells stolen credit card numbers.

"This CloudFlare incident should serve as an enormous wake-up call for everyone," Holley said. "Password changes and using multi-factor authentication, where available, should happen immediately."

Top Picks

It's a girl! Shohei Ohtani of the Dodgers is now a father
30 years after the Oklahoma City bombing: Learn more about the 168 people who were killed
A look at what happened in the US government this week
Get the Facts: Autism rates rose to 1 in 31, this is the CDC data