CloudBleed security leak: is your website affected? What steps should you take?
At iubenda we provide tools that allow websites and apps to comply with the law, so we thought it would be useful for you to understand how a data leak like “CloudBleed” should be handled.
CloudFlare, a popular CDN provider used by millions of websites, had a serious security leak. According to CloudFlare, a bug caused all websites using some specific CloudFlare features to potentially leak sensitive data, including passwords.
«Is my website affected?» Most likely YES if you’re using CloudFlare
If you’re using CloudFlare, your website is affected if you use the following features:
- Since September 22, 2016, the Automatic HTTP Rewrites feature is affected
- Since January 30, 2017, the Server-Side Excludes feature is affected
- Since February 13, 2017, the Email Obfuscation feature is affected
According to CloudFlare, the bug causing the leak was fixed on February 18, 2017.
Check your CloudFlare setup and assess if you have been affected and beginning when.
«What should I do if my website is affected?»
The vast majority of jurisdictions require you to notify users of a potential data leak and take all necessary actions to mitigate it.
First, you should assess what data could have leaked. If you allow users to sign up and login, this is what you should do:
- Assess when the bug first affected you according to the list above
- Consider expiring all login tokens for the affected period
- Consider forcing all users who logged in or signed up in that time span to reset their passwords
- Warn your users about what happened
«My website wasn’t affected, is there anything I should do?»
It’s advisable that you check this list of websites using CloudFlare and consider changing the password of any accounts you may have there.