From September of last year to Feb. 20 of this year, thanks to a series of unfortunate events revolving around routine upgrades, an old HTML parser was activated. The results of the activation of the old parser were that a very small percentage of incoming page requests, amounting to 0.00003% of the total number of requests the company received, were compromised. This amounts to roughly one out of every 3.3 million requests the company received.
Operationally, this bug resembles Heartbleed, but was limited to Cloudflare servers. In instances where data was exposed, it was complete, but given the sheer number of companies that use Cloudflare, the company’s recommendation is for everyone who uses the internet to reset all passwords.
A Google researcher stumbled on the bug by accident while working on a totally unrelated project. Cloudflare personnel were notified on Feb. 18, the same day the bug was confirmed.
They assembled a rapid response team and had resolved the issue by Feb. 20, but again, given the size and scope of Cloudflare’s client base, the recommendation stands. It is in every internet user’s best interest to change all passwords immediately. That’s all the more important given the unfortunate reality that too many people tend to use the same password across multiple websites, so if any of your information was swept up by a hacker during the period of vulnerability, it could lead to a total compromise of your identity.
Note that if your company makes use of Cloudflare’s services, your company’s data may have been exposed. At the very least, user names and passwords allowing hackers to access company accounts may have been exposed, so to be safe, changing those may be wise.