A recent software bug discovery in web company Cloudflare have caused supposed-to-be-secure data to leak over the internet since September 17, 2016. Dubbed Cloudbleed, the far-reaching bug may have affected up to 5.5 million websites, including popular ones such as Uber and Fitbit. According to a Github post:
Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.
Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using Cloudflare's proxy services (including HTTP & HTTPS proxy).
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day.
So what should you do? Change your passwords now, especially if you're an Uber or Fitbit user, or if the site you have an account at uses Cloudflare. Go to https://github.com/pirate/sites-using-cloudflare/blob/master/README.md to check the list of websites affected. We suggest using password managers such as 1Password (where applicable) or employing random password generators found freely online.