Cloudflare Cloudbleed Bug Expose Customers’ Customer Data

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,532
Cloudflare has let us know that a bug possibly exposed data of its customers' customers. Both HardOCP and HardForum sit behind Cloudflare technologies. So yes this story hits home for HardForum users, but Cloudflare has let us know that that we were not exposed in the breech. You can read up on this incident here. To be honest though, I would suggest you change your HardForum Password anyway. It is the smart thing to do. You can read the email sent to me by Cloudflare this morning below.

In our review of these third party caches, we discovered exposed data on approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.
 
Omgodz, hardforum has not been haxed.

Are we not good enough ?

Seriously though, its good to hear that the breach never extended to [H]
 
At least it's not a billion accounts.. I'm looking at you, Yahoo.

And more importantly, it was found, fixed, disclosed and fully explained in a matter of weeks as opposed to the Yahoo breaches which were disclosed years after happening and as far as I know, have yet to be fully explained.
 
And more importantly, it was found, fixed, disclosed and fully explained in a matter of weeks as opposed to the Yahoo breaches which were disclosed years after happening and as far as I know, have yet to be fully explained.
Yeah, I have to give Cloudflare props on that.
 
Good thing my forum password is randomly generated by Lastpass, now to just generate a new one and move on with my day. :)

Same here with 1Password....New 24 character random password without breaking a sweat.


Google: The SHA-1 collision is the biggest news today

Cloudflare: Hold my beer
 
Last edited:
Meh,
I don't use the account for business, so never had any worries.
Maybe they can use my password to win me a hardware give-away on here?
Bonus if they win me a Ryzen CPU!
 
Time to change my passwords :p I'm not to concerned about [H] but I just found out most if the sites I use for btc trading are also behind cloudflair :( kraken did throw out a interesting figure though, the estimated only 0.00003% of http requests were affected.
 
*Changes password from "12345" to "123456"* OK I am good to go now ;)
P9jVbSn.jpg
 
Didn't notice before, but is the email of password change with IP address that made the change new? I don't remember that from before, if it's new, good change.
 
Changing your password is definitely the smart thing. Also while this may have been fixed and disclosed quickly once it was found, the bug has been present and leaking data since September of last year. Almost 6 months.

I would say the cloud flare email is misleading. Hard forum data could absolutely have been compromised in this bug. It is basically a buffer overflow and cloud flare was randomly leaking all sorts of data all over the place. Just because it wasn't caught in a cache doesn't mean it wasn't compromised. However it is unlikely, but not impossible.

This goes the same for any and every site that uses Cloudflare.....lots of passwords and certs to update boys.
 
Tried to change my password to penis. Said it wasn't long enough. So I changed it to penis12. Works great now.
 
OMG HAxX0rZ :eek:

They are gonna find out the secrets of Hardforum :eek: :eek: :eek:
 
Sucks when things like this happen but it is all for the good bugs like this are caught and remedied. Changed my password just now.
 
" Cloudflare has let us know that that we were not exposed in the breach. "

To be clear, this is not what they said. They said your site was not among one of the 150 customers exposing data. The sites of the subset of 150 customers they identified were potentially exposing data from all CloudFlare sites.
 
Back
Top