Friday 24 February 2017

Cloudflare data breach

At 3:27am today we were made aware of a memory leak caused by a bug in Cloudflare, the upshot of which is that encrypted data related to logged-in users were leaked and available publicly. (You can read more here).

Medium uses the proxy Cloudflare for DDOS protection. The risk of this bug was that some of these data could be used to access a Medium user’s account, with the full privileges of that user.

After assessing our ability to determine the scope of the risk of this bug, and discussing the implications of possible actions, we decided out of an abundance of caution to invalidate all user sessions. In order to access the logged-in features of Medium, users will have to log back in.

The Medium Engineering team has committed to publishing a technical postmortem for serious outages to Medium core services, in order to build trust and hold us accountable to our users. More background on this program.