A serious security vulnerability within Cloudflare, a security and web optimisation platform used by over five million websites globally, dubbed Cloudbleed, saw millions of websites affected. The security snafu resulted in Clouflare protected sites, including Uber, Fitbit and dating site OkCupid leaking users' personal and sensitive data.
Although Cloudflare and Google, whose Project Zero initiative was responsible for disclosing the security issue, have worked to remove much of the leaked data, it is likely some of it may still remain exposed. However, there are a few simple measures you can take to check if you have been affected by the issue and to ensure that your data is kept safe.
How to check if your data has been affected by Cloudbleed
The first thing you can do to check if you data has been affected by the leak is to check which sites use Cloudflare. Millions of websites use Cloudflare and according to Google Project Zero researcher Tavis Ormandy, an unprecedented portion of the internet is linked to it. "I didn't realise how much of the internet was sitting behind [Cloudflare] until this incident," Ormandy wrote in the report that disclosed the issue.
Users can now check which sites have been affected via a list published on GitHub. Among those listed are Medium, 4chan, Zendesk, London Transport, New York Times and more. According to a report by Motherboard, one can also use the website doesitusecloudflare.com to check if a website was affected by the leak.
How to keep your data safe
Change your passwords! Given the vast portion of the internet that used Cloudflare, it still remains unclear as to how many websites may have been affected by the security issue. Keeping that in mind, the simplest way to keep your data safe would to be to change your passwords, as a precaution. Changing your passwords is also imperative given that researchers believe that the affected sites may have been leaking data for a while before the issue was detected. This means that leaked data may have potentially made its way into the hands of malicious entities.
Security researcher and former Cloudflare employee Ryan Lackey said in a Medium post that "unless it can be shown conclusively that your data was NOT compromised, it would be prudent to act as if it were."
Use a password manager to generate strong passwords
Changing passwords can be a bother, however, when it comes to cybersecurity, the age old adage of "better to be safe than sorry" truly applies. If you are anything like me, coming up with new and strong passwords and keeping a track of all your accounts' passwords could be as challenging as sticking to a healthy diet while staring at a plateful of chips. This is where setting up a password manager can prove to be a lifesaver.
There are various kinds of password manager software available and most of them have been designed to generate strong and unique passwords for different accounts. The bonus is that the software also keeps a track of all your passwords, so you don't have to tax your memory. All you need is one master password to unlock the software and you'll have the rest at the tips of your fingers whenever necessary.
Use two-factor authentication for all your accounts
Most online communications services and messaging apps encourage users to adopt two-factor authentication, which adds an extra layer of security to all your accounts. This can be useful especially in cases like this, when leaked user data could have potentially landed in the hands of hackers. Two-factor authentication serves as a last line of defence against account compromise and it is highly advisable that you activate the feature in all your accounts.