Cloudflare Leak Exposes Data from Thousands of Sites

John Lister's picture

An unfortunate error has led to a massive leak of confidential data online. It's led to calls from users to review their passwords and change the most sensitive ones.

The leak involves Cloudflare, which ironically is a security company. It offers a service by which it acts a little like a gatekeeper for websites, passing on valid requests for data and blocking those designed to cause disruption. In particular, it combats denial of service attacks (DoS) that aim to bring a website down by sheer weight of incoming traffic - usually bogus traffic.

As part of Cloudflare's operations, it temporarily saves website user data in a secure location (known as a buffer). The problem was a simple error in coding where what should have been written ">=" (greater than or equal to) was instead written "==" (equal).

That error meant that when the buffer filled up, rather than write over it, Cloudflare's software wrote the remaining data on a different website that wasn't as secure. To make things worse, that website was being cached by Google's search engine, meaning there's now multiple copies of it available online.

Private Messages Among Leak

Tavis Ormandy, a Google security researcher who discovered the bug, said the leaked data included some information that most certainly should not be publicly available including passwords, cookies (text files with data about a user and their online activity) and even the content of private messages sent through websites. This may include data that is normally transmitted in encrypted form.

He immediately told Cloudflare, which fixed the problem in 47 minutes. However, it appears to have been happening significantly for five days and on a smaller scale as far back as last September.

3,000+ Sites Affected

Exactly what has been exposed is something of a crapshoot. Ormandy says that five days of leaks this month covered data from 3,438 different sites. However, Cloudflare calculates that only one in every 3.3 million page requests led to leaked data. How much of this data was accessed by people with the willingness and ability to abuse it is almost impossible to tell. (Source:

Although the chances of any particular individual being affected by the leak are likely very low, security experts say it should be taken as a prompt to review passwords. This could include changing passwords for all sites (or at least the ones with the most sensitive data about the user). Another option to consider is enabling two factor authentication, an added layer of protection that uses access codes sent to an email address or phone to stop unauthorized login attempts from outside the user's usual devices. (Source:

What's Your Opinion?

Are you surprised one mistyped character could cause such trouble? Do you regularly update passwords to minimize the effects of such leaks? Do you find two-factor authentication useful or too much hassle?

Rate this article: 
Average: 5 (4 votes)


Dennis Faas's picture

This article brings up some pretty important points - one being that there are services online that offer "cloud security" in some way or another to store user passwords and logins, whether it's Dashlane (an online password manager) or storing your backups "on the cloud", as two prime examples. I would never use such services, for fear that either a hacker or a programming error - as discussed in the above article - would leak my data online to the masses. No thanks!

I would much rather manage my passwords locally from my own machine (which stores the logins and passwords in an encrypted manner), and which is only accessible if my machine is active (I.E.: I am logged in), which is also protected by a strong password or my fingerprint. If you use passwords on multiple machines that are mobile, then your options are fairly limited. As such you may need a service like Dashlane (as an example) that manages passwords on the web. Caveat emptor!

As another example - cloud backup - I believe this is a colossal waste of money unless you are using it sparingly and take full precaution to encrypt your backups. Local backups are a far better idea, unless you are worried about a fire. For the most part, cloud backups take way too long to backup, hog CPU and bandwidth resources, and is not at all practical for restoring an entire computer (operating system + user files). In comparison, local backups typically transfer data at a rate of 80-500 megabytes per second where cloud backup would do anywhere from 500kb to 6 megabytes (for up to a 50 megabit connection) - we are talking 10 to 100 times slower transfer speeds if you use cloud backups! Besides being incredibly slow, having all your data online is a huge security risk in itself, as discussed in this article.

ecash's picture

from DRM, and other protections..
3rd party locations are NOT always a good idea..
But also, the idea that ITS NICE to have someone monitoring things..ask Sony.
I dont see Companies setting up a single system, for passwords and protection...and any time someone LOGS intot he password computer, its a double or triple protection system, and TELLS a sysop/admin that SOMEONE is in that system..
Im from the old computer days, and learned a few tricks. And I cant see WHY some of them arent implemented.. Break up the DATA FILE and only allow 1 program to know the locations, and IT can join the files together..
They keep AUTOMATING things, and expect things to run Smoothly. When a person can Log into a system and transfer terabytes of Data over a period of time, and NO ONE NOTICES..I think something is wrong..bells and whistles should have been going off.

People wonder WHy I install Browser protection(I wont name them) and then I goto and WONDER what they are THINKING with over 30 scripts to be loaded, JUST to wonder the site..

I suggest to sites, that with all the 3rd party adverts,WHY not do the adverts themselves? Many companies would LOVe them. And the site could make money on the side for the advert..

Stuart Berg's picture

It's frustrating to me that most two factor authentication, when offered, requires text messaging. The frustration comes from all of us that have no cell service (required for Android messaging) and do NOT use iPhones (capable of WiFi messaging). Considering that about 80% of all smartphones are Android and many of those people have no cell service at their homes, two factor authentication is not an option for us. Why don't more websites offer a two factor authentication option using email?

Dennis Faas's picture

You could always use an app like TextPlus that gives you a real, separate cell phone # so you can text SMS and MMS messages over Wifi. I originally started using this service when I had an incredibly old cell phone plan that didn't have unlimited texting. Now I use TextPlus strictly for when I'm doing remote desktop support work. As far as I recall, I think it only cost $12 a year for a phone number. So far no complaints and it does what it says.