February 26, 2017

Cloudbleed - ThisData's Response

Late last week Cloudflare announced that a pretty serious bug had been found in the way they handled their traffic. The bug allowed private data from one website to be publicly visible in the html of another website - they were inadvertently leaking information. Thankfully only a small percentage of requests were vulnerable, but for a company the size of Cloudflare, that equals a big headache.

It's important to say your ThisData account is safe. ThisData uses Cloudflare's services, but they have been in contact with us and said that our data was not included in the leak. In an overabundance of caution we proactively revoked active user sessions, causing some users to need to log in again.

Regardless, we don't have to trust Cloudflare's word that we're unaffected. It's our job to spot malicious use of stolen passwords & cookies, so you're in good hands! Our breach detection service has been tried, tested, and refined for exactly this kind of scenario - you don't know whether your users' passwords have been leaked or not, but you don't want to force them through a password reset. Instead, using a service like ThisData lets you add frictionless security to keep your users safe. We are and will continue to monitor for unusual behaviour and alert you or your users if we spot something amiss. If you're a Cloudflare customer using ThisData, you can rest a little easier.

If you'd like to discuss any security concerns with us, or learn more about our login anomaly detection service, don't hesitate to contact us or sign up for a free trial.

ThisData gives us confidence that if a user account is ever breached we will know about it immediately
- Dan Allen, Co-Founder/VP Engineering, Litmos LMS

Here is some good further reading on the technical side:

Advice on how to respond:


The future of authentication

Today I’m excited to announce a deal that we have been working on for the past few months and how that will impact the future of contextual ...

Introducing custom security rules

For the past few years we’ve been working hard to create a plug and play adaptive risk engine. We designed our core service using a mix of b ...