On Thursday, February 23, the web services company Cloudflare published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare’s systems. This is worrying news for users of 5.5 million websites that use Cloudflare globally, including Uber, Bitpay, Producthunt, Fitbit, OKCupid, Eurovision, Yelp and others.
Cloudflare speeds up websites and protects them against distributed denial of service (DDoS) attacks by routing connections through its own content delivery network. It also blocks threats and limits abusive bots and crawlers from wasting website’s bandwidth and server resources.
However, a recently discovered bug in the company’s software had been sending pieces of unrelated data to users’ web browsers when they visited a site hosted by Cloudflare. Some of that data had been cached by search engines.
The bug was first discovered by Google’s security researchers who then informed Cloudflare about the problem. Cloudflare’s team identified the issue and deployed a fix globally within 7 hours. Most of the exposed data was reported to have been removed from the caches of search engines like Google and Bing.
Nevertheless, today is a good time to change your account passwords. With 5.5 million websites using Cloudflare, it’s a good chance that at least some of your accounts have been affected.
NordVPN is one of the companies that use Cloudflare to protect their websites against DDoS attacks and increase their performance. Cloudflare is in no way related with the VPN service itself–only with the website. Furthermore, we received an email from the company assuring that our domain includes no exposed data:
Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find.
In any case, we recommend to change your NordVPN account password just to be on the safe side. We also recommend changing passwords of all your accounts at least every six months to avoid brute-force attacks.