Urgent! Cloudbleed HTTPS Traffic Leak

There was a massive leak for domains using Cloudflare which leaked password and user information for sites using the service between 09-22-2016 and 02-18-2017. This may not seem like much until we look at how many websites are actually using Cloudflare (over 4,287,625). Take a look at the following site which complied a list of websites potentially affected. If you see a site here that you use, it is a good indicator that you should change your password for that site. Additionally, if you use the same password and username combination for other sites, change those also.

Here’s a link: https://github.com/pirate/sites-using-cloudflare/. Look for “Readme.md” which will have a list of the sites used as well as a link to all sites affected. Warning, the attachment is 22Mb so looking through that much data may take a while.

Some of the sites on the list are uber, fitbit, glassdoor, okcupid, yelp, fiverr, upwork.

Given the extremely large number of possibly affected websites and domains, we highly recommend changing all your passwords to something both secure, and domain specific. This way, when one password combination becomes compromised (and it will because they always do) you can change just that one and not every account you have.