Even the partial list of sites affected by Cloudbleed, the monumental security failure by content delivery network provider Cloudflare Inc. that exposed sensitive information including passwords, cookies and tokens used to authenticate users, includes hundreds of popular sites.
Published by a user who goes by the name of “pirate” on Github, the list includes a who’s who of popular sites, such as Yelp, Medium, Uber, Patreon, Upwork, YCombinator and Transferwise, along with bitcoin exchanges Coinbase, BTC-E, QuadrigaCX, Kraken, Bitstamp and Bitfinex.
Also among the many Cloudflare customers that may have had customer data exposed are Fiverr, The Pirate Bay, FitBit, Change.org (which has already reset all user passwords), Creativecommons.org, Crunchbase, TypePad and Udemy.
Despite the fact that Change.org has already reset all user passwords due to the potential data breach, experts are counseling users not to panic. That’s because the amount of data may not be highly significant despite it being so openly available it was indexed and cached by search engines.
“This issue has a low likelihood of impacting individuals, but remains serious due to the broad exposure introduced to thousands of businesses and millions of their users from a single service provider,” Rapid7 Vice President of Information Security Josh Feinblum told SiliconANGLE via email. “Any providers relying on the impacted services should conduct their own assessment and determine whether any customer notifications are appropriate.”
Ashwin Krishnan, senior vice president of product management and strategy at security solutions firm HyTrust, explained what occurred from a different perspective. “Every breach results in some amount of data compromise,” he said. “In the case of the recently discovered Cloudflare bug, some of the critical data that was exposed included encryption keys used to protect server to server traffic at Cloudflare. Any data loss is concerning, but the loss of private encryption keys highlights a significant risk to a secure infrastructure.”
The lesson to be learned is that companies need to improve their security policies, because potentially an attacker could now gain access to further data.
“An attacker who uses a vulnerability and then holds encryption keys before the breach is discovered may have free and clear access to the information that is thought to be encrypted and protected,” Krishnan said. “This could allow them to go undetected putting even more data at risk. To reduce the risk of exposed data, it becomes mission-critical to have a secure policy-based encryption key management approach. The mantra of rotate, revoke and shred keys is fundamental to a holistic security lifecycle management operation.”