Update 1: See list of sites below.

Update 2: We received a brief statement from Uber

Update 3: OKCupid has made a similar statement

Very little Uber traffic goes through Cloudflare. Only a handful of tokens were involved and have since been changed. Passwords were not exposed.

User data from 3,400 websites has been leaked and cached by search engines as a result of a bug in Cloudflare, a content delivery network. Sites affected over the course of several months include major ones like Uber, Fitbit and dating site OKCupid. 1Password also uses Cloudflare, but says that end-to-end encryption means that no customer data was exposed.

ArsTechnica reports that the leaks were spotted by Google security researcher Tavis Ormandy.

Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident …

We observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

A Cloudflare blog post acknowledges that the issue was serious, but says there is no evidence of it having been exploited.

Ormandy responded by writing:

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

Security researcher Ryan Lackey agrees, saying that while the likelihood of passwords being exposed is low, that risk does exist and that users are advised to change them.

[The company’s blog post] contains an excellent postmortem, but severely downplays the risk to customers.

Google, Bing, Yahoo and other search engines have been working on clearing cached data from the breach before anyone went public, hence the delayed notification, but ArsTechnica notes that some cached data remains.

While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet […]

The most sensitive information leaked is authentication information and credentials. A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced. From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords.

This incident underlines the vulnerability of even the most secure services to weaknesses in third-party code. Just yesterday, it was revealed that Apple has cut ties with one of its server suppliers after potential security issues were found in firmware updates. Apple is reportedly working on building its own cloud infrastructure – including servers – to avoid the risk of hardware being compromised either accidentally or deliberately.

Check out our recent guide to password management.

Update:

An unofficial list of sites that may be affected has been posted to Github, but note that this includes all domains that use Cloudflare DNS – a much larger number than use the affected services.

Image: University of Nebraska-Lincoln