For months, a bug in CloudFlare resulted in malformed pages spraying uninitialized memory. This uninitialized memory contained anything that passed through CloudFlare: passwords, cookies, HTTP headers, HTTP content, even internal cloudflare TLS certificates.

ANYTHING transited through CloudFlare could have been sprayed onto the internet. Even worse, HTTP caches (like Google, corporate web caches, ISP caches) have cached these malformed data.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

"Consequence of @taviso's Cloudbleed discovery: essentially any traffic which passed through Cloudflare (even https) recently might be public"

https://twitter.com/octal/status/834925850470432769

Even 1Password is affected as they use CloudFlare

What you can do

Change passwords on all CloudFlare sites. This includes:

• reddit
• bitfinex
• bitstamp
• coinbase
• bitcointalk

etc…

If you use 1Password or any web password manager, it's time to get a real password manager.

If you enabled 2FA recently in the past few months, it's possible that the 2FA secret ITSELF was leaked. You should disable and re-enable 2FA.

You can read the full discovery here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

You can see CloudFlare trying to downplay the impact of the incident, when Cloudbleed is bigger than Heartbleed.