Cloudflare has revealed that over the past 5 months its website protection services have inadvertently leaked private information over the internet.
The flaw, nicknamed “Cloudbleed,” was discovered by Tavis Ormandy, a vulnerability researcher for Google Project Zero, who has been described by experts as “the worst leaked private data in history.”
While there is no indication that hackers exploited the vulnerability, the Google engineer says he was able to collect usernames, passwords, and a host of other private information on key search engines.
” Complete messages from a well-known chat service, (…) Private messages from leading dating sites, online password manager data, adult site data and hotel reservations,” Ormandy published.
The security bug would have affected 3,400 sites worldwide, including services such as Uber, Fitbit and OKCupid. However, due to security risks involved in the situation, only the search engines were notified.
After the bug fix – which took 6 days to be stalled – Cloudflare says it has warned by Google, Bing and Yahoo to delete all traces of private information.