Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers.
It turned out that in some unusual circumstances […] our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
Not good. “Cloud Bleed” as it’s been dubbed potentially affects an extremely large amount of online services as well as many smaller ones such as your own website or blog even.
While Cloudflare has been working around the clock with Google engineers and other experts in purging the cached data there is a chance your password or other sensitive information was put out there for everyone to see.
As with any of these types of things the “better safe than sorry” approach is always the best one to take so taking the time to check the available lists and changing your passwords is the best way to go.
Some of the major affected domains are:
producthunt.com
medium.com
coinbase.com
patreon.com
4chan.org
uber.com
A more extensive list is available here.
Also available is a quickly built online tool to check your domain here.
Source: Incident report on memory leak caused by Cloudflare parser bug