Security flaw hits popular websites

Security firm Cloudflare disclosed late Thursday that a long-running bug in its security systems may have leaked information, including potentially personal information, from thousands of sites including Uber, Fitbit and OK Cupid.

The problem was first uncovered by Google security expert Tavis Ormandy, who let Cloudflare know about the issue on Feb. 18. But the service had been leaking information for months in a way that allowed search engines to pick it up, according to Cloudflare.

The issue is only known to have affected a small portion of the 5.5 million sites that Cloudflare services. Cloudfare did not release a comprehensive list of affected sites, though researchers have been trying to compile them. However, there may be some companies listed as leaking information that were not. For example, password manager 1Password told its users that none of their data were put at risk.

Because there’s so little information about the sites and Cloudflare services are widely used, it’s a good idea to change your passwords on any site in a “better safe than sorry” sort of way.

Computer science professor Matthew Green compares the situation to a food recall. “It’s probably not going to affect you, but it’s hard to say,” said Green, who works at Johns Hopkins University. “Maybe you find that a few containers of yogurt have some added bacteria. Probably, you can go eat yogurt. But would you want to?”

Cloudflare posted a technical explanation of the problem to its blog. Essentially, the company was changing over from older code to newer code. Running both at the same time created an unforeseen issue that, when combined with some other features that Cloudflare offers, caused a data leak.