Change Your Passwords. Now!!!
A massive memory leak from web services and security company Cloudflare may have exposed user data for thousands of sites using the service. In other words: it’s time to change your passwords.
Cloudbleed was discovered by Tavis Ormandy of Google’s security analysist team Project Zero on February 18th. How it was found and patched, and what exactly was causing these leaks is exhaustively detailed by Cloudflare in a blog post. According to Cloudflare, “the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.”
So far there is no official list of affected sites, though many services are asking users to change their passwords regardless. A Github user has posted a list of sites they believe have been compromised, along with the caveat that “just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.” According to this user—who scraped a variety of sites—up to 4,287,625 may be at risk. Cloudflare itself admitted to over 1,000 compromised domains.
Below are some of the notable sites believed to be at risk. You can read them now, but we’d really recommend changing your passwords first.