Several websites including Indian sites using Cloudflare as their storage or host partner could have been affected due to an internal bug that mistakenly leaked sensitive user data. The company confirmed the data leak in a blog post and said that it put together a special team to fix the bug.
The bug was initially spotted by a security analyst from Google’s Project Zero team that looks at spotting vulnerabilities on the Internet. Cloudflare explained that one of its servers “were running past the end of a buffer and returning memory that contained private information…some of that data had been cached by search engines.” A non-geek explanation: a temporary memory location (or cache) located in one of Cloudflare’s server started relaying back data (including sensitive info) after the memory got filled. Since there was no space left to store, it started leaking data to random requesters, and some of this info got listed on search engines.
“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests). The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests),” the company said in the blog post.
Websites that may have been affected
Note that Cloudflare did not disclose the details of websites and links that were affected. Although a user on Github have released the details of these sites, claiming that over 4 million websites were affected and that passwords, private messages, and other sensitive may have been leaked. (Full list here). Some notable Indian sites include HDFC Bank, Citibank, Infibeam, Uber.com, Zoho and Lenskart. The list was first spotted by NextBigWhat. P.S: if your site uses Cloudflare, it’s probably a good idea to reset all passwords.
Other notable sites:
Other notable data breaches
Recently, a massive data breach on Yahoo carried out by unknown hackers exposed sensitive info belonging to at least 500 million users. The breach, which was carried out in 2014, includes data properties like names, email addresses, dates of birth, telephone numbers and encrypted passwords of Yahoo customers. However, the tech company later blamed “state-sponsored hackers” for stealing information from their servers. Note that Google, Twitter and Facebook earlier gave similar warnings to users stating that there could have been state-sponsored hackers compromising accounts on their platform.
In India, several ATMs and PoS machines on YES Bank’s network were recently affected by a data breach. Hackers targeted around 90 YES Bank’s ATMs and POS machines which resulted in card details of State Bank of India, ICICI Bank and HDFC Bank customers being stolen. Hitachi payments services later confirmed that a malware on its system caused the breach of sensitive data, which led to over 32 lakh debit caIrds being compromised.