http://www.reddit.com/r/technology/comments/5vueo8/cloudflare_vulnerability_exposes_user_data_for/
1) this is massive, the full scale is not known 2) caching may make this worse than it was since that makes scraping the data easier.
[quote]Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.
Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other cloudfare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using CloudFare's proxy services (including HTTP & HTTPS proxy).
"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day"[/quote]
and the [url=http://github.com/pirate/sites-using-cloudflare]github entry[/url] has a list of a bunch of the sites affected as well as a link to download a huge file of the supposedly affected websites. the leak affected many notable sites, some of which you might recognize(not the only ones affected, just the really major ones):
Reddit.com
bitcoin.com
bitdefender.com
patreon.com
medium.com
4chan.org
coinbase.com
yelp.com
okcupid.com
zendesk.com
Uber.com
curse.com(and their family of sites)
stackoverflow.com
thepiratebay.org
ziprecruiter.com
glassdoor.com
reddit.com
pastebin.com
crunchyroll.com
fitbit.com
discordapp.com
change.org
armorgames.com
ashleymadison.com
cyanogenmod.org
dailycaller.com
dota2lounge.com
drudgereport.com
explosm.net(makers of the cyanide and happiness webseries)
f[spoiler]akku[/spoiler]
gyazo.com(a gawker owned CDN)
listverse.com
livememe.com
mangafox.me
medium.com
memecenter.com
menshealth.com
minecraftforum.net
moddb.com
newgrounds.com
nexusmods.com
nodejs.org
omegle.com
pennyarcade.com
prntscr.com
rockpapershotgun.com
somethingaweful.com
s[spoiler]pankbang[/spoiler]
theregister.co.uk
thisoldhouse.com
tineye.com
townhall.com
washingtontimes.com
weknowmemes.com
whatculture.com
whatismyip.com
womenshealthmag.com
thingiverse.com(big 3d printing project file sharing site)
funnyjunk.com
and of course, cloudfare.com.
that is a lot of notable websites! if you have any sort of account on those websites, you should change your passwords immediately to the longest possible password you can for your own good.
-
Never heard of 99% of those sites lol. I'm good.