Whilst this breach was announced to the public just under 2 days ago, I have spent the time debating whether there was a need to mention it or not, and today came to the conclusion that it would be best to notify everyone of what has happened.
I'll firstly outline what CloudFlare is, and what we use them for. CloudFlare is a company with servers all around the world that handle resolving our domain (theburrow.net) to IP addresses of our servers so your computers can connect to them (basic outline of what DNS is). Their servers around the world also cache assets, and minify our code, so that our website takes less time and bandwidth to load.
On Thursday afternoon, CloudFlare posted on their blog (obviously the best place for urgent announcments) details of the issue. I wasn't aware of this from CloudFlare until they sent an email at 12PM on Friday, but I had seen details of it on Twitter and emails from other companies - I was fairly shocked at CloudFlare being one of the last companies to alert me about their own issue.
The issue was reported by a Google engineer, so the damage caused will be at a minumum. The issue ocurred when webpages weren't formatted correctly, and some of CloudFlare's code was interpreting this wrong, and outputting data from Nginx (the web server software they used) that contained sensitive information, such as users IPs, and post data. In the internet, POST data is data you are sending to the server. So, my message and title for this message would be posted to this server when sending it. However, this also means that usernames and passwords are also sent this way, and CloudFlare had been outputting these in plain text for some time.
Whilst by this stage most search engines have cleared up their crawler archives for sites affected (there's a chance you can search "cf-host-origin-ip: " and see snippets of data), there's still a chance some of the data got into bad hands, from people crawling sites themselves.
What should I do now?
As most the private accidentaly shared by Cloudflare are now no longer available, there isn't really a need to do anything. However, as good security practice, as with any data breach, it is suggested that you change your password to any sites affected, or any sites you use the same password on. Whilst the chances of your details being accidentaly outputted are low, CloudFlare 'protects' over 5.5 million websites, so there's still a large chance a lot of the websites you use may have been impacted (larger sites using CloudFlare include Uber, Fiverr, Authy, Medium, Discord, and FitBit [list here: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md]). It is also suggested that you enable 2 factor authentication on anywhere that supports it & where the account is important to you.
Whilst the chances of this having affected our website in particular are extremely small, I just felt it was best to alert everyone that there's a chance their details from other websites were affected, as around 1 in 3,300,000 HTTP requests had leaked memory, which totals a potential of up to 200,000 requests with private data in per day.
For more information, visit CloudFlare's post on this: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/, or feel free to ask me for anything else if you don't totally understand what has happened.
Need support? Email [email protected] or open a thread on our website.