I gave myself the annoying task of changing the passwords for practically half the apps on my iPhone last week, and if you’re following tech news, I’m guessing you did too. If you use platforms like Uber, Fitbit, OKCupid or any of the 5.5 million sites that rely on Cloudflare’s content delivery network, by now you’ve probably heard that your personal information hasn’t been secure for months. Google’s security researcher Tavis Ormandy, shared a post alerting the public to the leak in February. He writes that Cloudflare was leaking “cached pages that contain private messages from well-known services, PII from major sites that use Cloudflare, and even plaintext API requests from a popular password manager that were sent over https.” Translation? Everything from your credit card details to private messages on dating sites has been vulnerable to prying eyes since September.
We have human error to thank. In an incident report, Cloudflare’s Chief Technology Officer (CTO) John Graham-Cumming explains that a combination of a faulty bit of code and an “ancient piece of software” caused the data breach. But what can we learn from Cloudflare’s leak, or “Cloudbleed” as the Internet’s dubbing it? I checked in with security experts to see what businesses and the public can take away from Cloudflare’s slip up.
First of all, the Cloudflare leak demonstrates the sheer magnitude one little coding error can have. “The Cloudflare breach is a perfect illustration of how cyber risk can be concentrated within a handful of service providers,” says Dan Dahlberg, a research scientist at BitSight Technologies, which rates the security of companies. “A breach or outage stemming from a large service provider can affect thousands of companies downstream.”
Mike Meikle, a partner at the security consulting and education company SecureHIM, points out that “one error in a line of code invalidated millions of dollars in expensive technology.” He adds: “The takeaway for both consumers and companies is no technology service is 100% percent secure.”
Dahlberg stresses that the Cloudflare leak should remind businesses to avoid relying too heavily on a single service provider. “For instance, if every organization in a company’s supply chain uses Cloudflare on critical segments of their infrastructure, they should make a concerted effort to work with businesses using other service providers. Doing so will ensure that the risk of any one service provider is less concentrated.”
That said, while the glitch has impacted millions of sites, it’s impossible to know the true extent of the damage done. “Given the number of requests Cloudflare typically serves while comparing the obscurity of the issue, there’s a very low chance that one particular user would have had their information leaked,” says Dahlberg. “However, we will never know what was exactly leaked beyond the information incidentally retained by the search engines, so users should be focused on mitigating future damage caused by this issue.”
How can users do damage control? Graham-Cumming stresses that members of the public should “invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys.”
Meikle echoes this view: “Change your passwords. Especially to critical sites such as banking, investment, healthcare, social media — anything with sensitive information,” he says. “Don’t use the same password for all your websites.” He suggests using “stronger passwords, at least 12 characters with a mix of letters, number and special characters if possible.”
And what should the affected companies do to control the damage of a leak like this? Jason Maloni, the head of JadeRoq — a global crisis communications firm specializing in privacy and cyber matters — suggests working with privacy attorneys, insurance representatives and crisis counselors to come up with a gameplan. “The companies that rely on Cloudflare should pressure it to take responsibility for the disclosure and ownership of the damage,” says Maloni. “If the communication is not swift and clear, the brands may consider notifying customers themselves so they can state the facts along the lines of elegantly saying ‘we’re not to blame but we’re going to fix it.’”
OKCupid did just that last week, issuing the following statement to the press. “Cloudflare alerted us Thursday night of their bug and we’ve been looking into its impact on OkCupid members,” the dating company blogged. “Our initial investigation has revealed minimal, if any, exposure. If we determine that any of our users has been impacted we will promptly notify them and take action to protect them.”
But nobody wants a crisis on their hands. If anything, Cloudflare’s leak ought to inspire companies to scour their platforms for security flaws proactively, says Meikle: “Companies will need to aggressively review software for vulnerabilities. This will sometimes mean very expensive software migrations from legacy applications.”
A leak like this serves as a powerful reminder that our information online isn’t failproof, and ultimately chips away at our good faith in the services we use online every day. “The public understands that no security is impenetrable,” says Maloni. “But a system-wide failure that may have gone back to September 2016 borders on the unforgivable.”