Safety Jim PSA: Cloudflare Security Issue
Our blog has moved to our main website! Check us out on discord.com/blog to stay in the loop about future posts.
Before we get into the PSA, I’ve got a big ol’ request for ya:
Change your Discord password! And Patreon, Yelp, Authy… a lot of good services use Cloudflare these days.
The PSA
Anyway, sorry to bug you folks on this beautiful Thursday evening, but Safety Jim’s gotta come keep you all woke because the internet can be a scary place.
Unfortunately, there’s a microscopic chance that a bug in Cloudflare, one of our service providers, leaked sensitive Discord data including passwords. Double unfortunately, this is affecting a lot of companies who use Cloudflare to keep you guys safe from the bad guys.
If you want the longer version from our grandmaster code slinger aka our Chief Technical Officer aka Stan, read the message below.
Moreover, if you forgot how to change your password, here’s how.
The Important Technical Bits From Our CTO Stan:
Cloudflare disclosed today that they have fixed a bug reported by Google’s Project Zero that was very rarely exposing sensitive information in random requests (0.00003% of all requests) since September 2016. There was no way to target specific information and the exposed information was random.
For those that are unaware Cloudflare is an internet proxy that protects website from malicious attacks such as DDoS. Discord and many other websites were affected by this vulnerability. You can find a full list of websites that are using Cloudflare here.
The likelihood that your information was leaked on any of these sites is very low, but we highly recommend changing your password on Discord and any other sites you use that also use Cloudflare. If you develop against the API on any of the sites, it is also recommended to reset your API key.
At the current time we do not believe performing a forced password reset on all of Discord is necessary given the incredibly low likelihood of impact, but we are continuing to evaluate as we wait for Cloudflare to provide us directly with the full level of impact.
Stay safe on the internet!
—
UPDATE Feb 24, 2017: As the dust settles, its worth noting that Reddit is not affected. Furthermore, Medium doesn’t store passwords, so users won’t be able to reset their information on Medium (although their auth tokens may still be at risk).
