Three parts: 1) Who are Cloudflare, 2) What Happened, 3) What Do You Need To Do?

1) Cloudflare is a service that large websites – including my former employer – use as a first-bastion protection against hackers. Basically you point your public website details at them, and they mostly just forward it on to your real servers, but if there’s an attack then they’ll work out which connections to block so your site stays up. Optionally, they’ll also do things like replace email addresses in your page with weird things that look the same but can’t be harvested by robots looking for people to spam.

2) It’s this last thing that got them into trouble. The bit of their system that rewrote webpages had a bug that, given badly-coded sites, some options turned on, and a couple of other variables – would dump into the non-visual bit of the page whatever the server was thinking about at the time. Because these servers are dealing with a lot of requests at the same instant, this could be the passwords of someone sending a login form to that site over there, or a token that would allow you to assume someone else’s shopping basket, or whatever.

Cloudflare are fairly switched on, and when notified immediately turned off the broken feature and managed to deploy a fix within a couple of hours, but by that time the bug had been around a couple of weeks, so the leaked data was cached in places like Google’s web cache. Google have purged all these now.

3) Cloudflare have over 5 million clients, ranging from me-as-Aquarion with my tinpot blog engine through to people like Elsevier, Patreon, Blizzard. Not all of them had their data leaked as part of this, and the ones who have, have been notified by Cloudflare. Those companies should be sending out notifications or password reset systems. To repeat: Just because the website was using Cloudflare’s services does not necessarily mean your password has been leaked, or their service was affected.

Full fallout from this will come in the form of security advisories in the next little while. It’s generally a good idea to rotate passwords occasionally (especially for high profile sites like Facebook, Amazon, Google) and to turn on Two Factor authentication for sites that enable it.

I use a password manager (Lastpass, Can also recommend OnePassword and Dashlane) and centralised 2FA system (Authy is mine, but Lasspass do one and Google’s own is the standard everyone else implements)