Late last week Cloudflare announced that a pretty serious bug had been found in the way they handled their traffic. The bug allowed private data from one website to be publicly visible in the html of another website - they were inadvertently leaking information. Thankfully only a small percentage of requests were vulnerable, but for a company the size of Cloudflare, that equals a big headache.
It's important to say your ThisData account is safe. ThisData uses Cloudflare's services, but they have been in contact with us and said that our data was not included in the leak. In an overabundance of caution we proactively revoked active user sessions, causing some users to need to log in again.
Regardless, we don't have to trust Cloudflare's word that we're unaffected. It's our job to spot malicious use of stolen passwords & cookies, so you're in good hands! Our breach detection service has been tried, tested, and refined for exactly this kind of scenario - you don't know whether your users' passwords have been leaked or not, but you don't want to force them through a password reset. Instead, using a service like ThisData lets you add frictionless security to keep your users safe. We are and will continue to monitor for unusual behaviour and alert you or your users if we spot something amiss. If you're a Cloudflare customer using ThisData, you can rest a little easier.
ThisData gives us confidence that if a user account is ever breached we will know about it immediately
- Dan Allen, Co-Founder/VP Engineering, Litmos LMS
Here is some good further reading on the technical side:
- The original vulnerability report from Google's "Project Zero"
- Cloudflare's statement and in-depth blog post
Advice on how to respond: