Cloudflare, which provides services to millions of websites, has revealed that a bug has caused website passwords, cookies, and authentication tokens to be temporarily available in plain text. The list of 4.2 million domains possibly affected includes some of the internet’s most popular websites.
The Internet infrastructure company Cloudflare, which provides a variety of performance and security services to millions of websites, revealed late Thursday that a bug had caused it to randomly leak potentially sensitive customer data across the internet.
The flaw was first uncovered by Google vulnerability researcher Tavis Ormandy on February 17, but could have been leaking data since as long ago as September 22. In certain conditions, Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid—onto the website of a smaller subset of customers. In practice, it meant that a snippet of information about an Uber ride you took, or even your Uber password, could have ended up hidden away in the code of another site.
South African e-commerce website, takealot.com compromised.
One of these websites is Takealot.com, the popular online shopping site in South Africa. I have not searched the entire list of 4.2 million sites but I am quite sure that there are a few thousand South African websites affected by this data leak.
What is disturbing is that Takealot.com undoubtedly know about this leak but have not notified any of their customers about the leak and that their personal information could be compromised.
You can search the list here: http://cloudflarelistcheck.abal.moe/
Or you can download the list of 4.2 million sites here: https://github.com/PIRATE/SITES-USING-CLOUDFLARE
It is possible that your passwords and personal information from affected websites may be at risk. I strongly recommend that you immediately change the passwords for accounts that are most critical to you to be strong, unique and not used for any other account. When reused passwords are stolen, it will impact your other accounts. This was true before Cloudbleed and is even truer today.
Notable sites compromised
- zendesk.com (Zendesk post and updates | no leaked data found)
- curse.com (and some other Curse sites like minecraftforum.net)
- discordapp.com (affected)
- digitalocean.com (no leaked data found in several search engine caches)
- namecheap.com (no leaked data found in several search engine caches)
- glassdoor.com (no leaked data found in several search engine caches)
- vultr.com (no leaked data found in several search engine caches)
- fastmail.com (not affected, #2)
- 1password.com (not affected)