Cloudflare, Inc., a provider of performance and security solutions for websites, recently disclosed that a software bug caused it to leak customer data that was then cached by search engines. Uber, Fitbit, and OkCupid sites may have been affected. While the leaked data is believed to contain private information, the extent of that information is unclear. End-user passwords, cookies, and authentication tokens used to log in to multiple website accounts may have been exposed. In an incident report published on its website, Cloudflare emphasized that customer SSL private keys were not leaked.
Tavis Ormandy, a security engineer with Google’s Project Zero, discovered the bug and contacted Cloudflare to report the issue. The bug affected Cloudflare’s systems since September, 2016 however the greatest impact occurred between February 13 and February 18, 2017. According to Cloudflare’s incident report, its initial mitigation occurred in 47 minutes and it had resolved the problem in less than seven hours. Cloudflare is working with search engines, including Google, Yahoo, and Bing, to scrub the data from their caches.