Cloudflare Cloudbleed Bug Expose Customers’ Customer Data

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
52,942
Cloudflare has let us know that a bug possibly exposed data of its customers' customers. Both HardOCP and HardForum sit behind Cloudflare technologies. So yes this story hits home for HardForum users, but Cloudflare has let us know that that we were not exposed in the breech. You can read up on this incident here. To be honest though, I would suggest you change your HardForum Password anyway. It is the smart thing to do. You can read the email sent to me by Cloudflare this morning below.

In our review of these third party caches, we discovered exposed data on approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.
 
D

Deleted member 133315

Guest
Omgodz, hardforum has not been haxed.

Are we not good enough ?

Seriously though, its good to hear that the breach never extended to [H]
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
At least it's not a billion accounts.. I'm looking at you, Yahoo.

And more importantly, it was found, fixed, disclosed and fully explained in a matter of weeks as opposed to the Yahoo breaches which were disclosed years after happening and as far as I know, have yet to be fully explained.
 

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
52,942
And more importantly, it was found, fixed, disclosed and fully explained in a matter of weeks as opposed to the Yahoo breaches which were disclosed years after happening and as far as I know, have yet to be fully explained.
Yeah, I have to give Cloudflare props on that.
 

klank

Killer of Killer NIC Threadz
Joined
Aug 22, 2011
Messages
2,177
Good thing my forum password is randomly generated by Lastpass, now to just generate a new one and move on with my day. :)

Same here with 1Password....New 24 character random password without breaking a sweat.


Google: The SHA-1 collision is the biggest news today

Cloudflare: Hold my beer
 
Last edited:

griff30

Supreme [H]ardness
Joined
Jul 15, 2000
Messages
6,755
Meh,
I don't use the account for business, so never had any worries.
Maybe they can use my password to win me a hardware give-away on here?
Bonus if they win me a Ryzen CPU!
 

cdabc123

2[H]4U
Joined
Jun 21, 2016
Messages
3,856
Time to change my passwords :p I'm not to concerned about [H] but I just found out most if the sites I use for btc trading are also behind cloudflair :( kraken did throw out a interesting figure though, the estimated only 0.00003% of http requests were affected.
 

ghostwich

2[H]4U
Joined
Sep 10, 2014
Messages
2,171
*Changes password from "12345" to "123456"* OK I am good to go now ;)
P9jVbSn.jpg
 
D

Deleted member 184142

Guest
Didn't notice before, but is the email of password change with IP address that made the change new? I don't remember that from before, if it's new, good change.
 

Erasmus354

[H]F Junkie
Joined
Mar 12, 2004
Messages
9,450
Changing your password is definitely the smart thing. Also while this may have been fixed and disclosed quickly once it was found, the bug has been present and leaking data since September of last year. Almost 6 months.

I would say the cloud flare email is misleading. Hard forum data could absolutely have been compromised in this bug. It is basically a buffer overflow and cloud flare was randomly leaking all sorts of data all over the place. Just because it wasn't caught in a cache doesn't mean it wasn't compromised. However it is unlikely, but not impossible.

This goes the same for any and every site that uses Cloudflare.....lots of passwords and certs to update boys.
 
D

Deleted member 88227

Guest
Tried to change my password to penis. Said it wasn't long enough. So I changed it to penis12. Works great now.
 

leSLIe

Fisting is Too Mainstream for Me
Joined
Oct 18, 2004
Messages
13,925
OMG HAxX0rZ :eek:

They are gonna find out the secrets of Hardforum :eek: :eek: :eek:
 

AceGoober

Live! Laug[H]! Overclock!
Joined
Jun 25, 2003
Messages
23,931
Sucks when things like this happen but it is all for the good bugs like this are caught and remedied. Changed my password just now.
 
Joined
Dec 29, 2000
Messages
2,469
" Cloudflare has let us know that that we were not exposed in the breach. "

To be clear, this is not what they said. They said your site was not among one of the 150 customers exposing data. The sites of the subset of 150 customers they identified were potentially exposing data from all CloudFlare sites.
 
Top