Do it for your data
Cloudflare, a behemoth web service that describes itself as an entity that “speeds up and protects millions of websites” found itself in an ironic place in February when it failed all protections and accidentally leaked sensitive personal information of millions of unsuspecting internet users.
Could someone from cloudflare security urgently contact me.— Tavis Ormandy (@Tavis Ormandy) 1487376710.0
The Cloudflare system was inadvertently placing data from sites like OkCupid into the code of other websites on its network. Full messages, passwords, and even encryption keys were hidden in websites across the internet. If no one’s looking for that sort of information, it’s no big deal. But because Google checks for information on websites to generate search results, it meant that sensitive information was also available in search caches from Google and Bing.
The bug that caused the leak was a nasty one. A single keystroke error in Cloudflare’s code caused the massive breach to occur. First and foremost are the company’s customers: More than 5 million websites use Cloudflare’s platform including sites and apps like Uber, Yelp, and OkCupid. According to Tavis Ormandy, an internet security expert, over a 5-day period in February, the leak spewed data to more than 3,000 unique domains on the net.
While the response from Cloudflare was swift— they pushed a temporary fix an hour after learning of the vulnerability and plugged the leak across all their systems in around seven hours—a treasure hunt of sorts has been sending geeks to mine Google caches for sensitive data.
But what can you do about leaks like this, which happen far more regularly than you may think?
Change your passwords periodically, says computer security expert Ryan Lackey. “From an individual perspective, this is straightforward. The most effective mitigation is to change your passwords.”
Two-step authentication allows you to be contacted by cell phone or email when a user tries to log into your account. By inputting the code given in the message, the website verifies that the right person is logging in. When the wrong person tries to log in, two-step authentication allows you to see it and will not allow that person or machine to log onto your account. Two-step authentication is one of the best ways to keep bad actors out of your accounts.
Unfortunately, the easiest passwords to hack are also the most popular. Using “123456” or the ever popular “password” is just setting you up for a bad day. Instead, try using a combination of uppercase and lowercase letters (as well as numbers and special characters). NASA, for example, suggests that employees use passwords at least eight characters in length. Don’t forget to skip the slang words and dictionary words, too.
The reason passwords are so insecure is because they’re hard to remember. So why not use a password manager? These apps do the remembering for you, and a few even have them stored for you, too, for easy login. Apps such as 1Password, Keeper, Dashlane and Lastpass are all more than capable of keeping your passwords secure.
Leaks like this show just how exposed the web is to services like Cloudflare. A minor leak can reverberate across millions of websites, and expose regular people and their private information. Although Cloudflare narrowed the number of those affected to a possible 150 total customers, the precarious nature of data on the internet is fully apparent. Even still, we’re all suddenly aware how easy it is for one bug to affect nearly everyone working and using the web.