United States

Cloudbleed data leakage issue: practical advice


During the week of Feb. 20, a news barrage developed concerning a data leak affecting certain websites and mobile applications that rely on the Cloudflare internet content distribution network. Headlines commonly referred to “millions” of affected sites and urged readers to “change all passwords.”

While the issue is very much a real one, such attention-grabbing headlines warning of impending doom should be taken with a healthy dose of skepticism. Following is a summary of what we know about the issue and its implications, in nontechnical terms. 

The issue

The core issue at hand is that sensitive data, including passwords, confidential data, customer data, or other key secrets for a large number of websites and mobile applications may have been exposed and/or leaked due to a technical issue at Cloudflare, a web-service provider that supports millions of sites, including many of the top sites on the internet.

Potential impact

The impact of the Cloudflare issue is hard to ascertain and may never be fully known. According to Cloudflare, the conditions leading to exposure of sensitive data go back to September 2016, and data leakage peaked between Feb. 13 and 18, 2017. But only a subset of Cloudflare sites was affected.  The issue was discovered by Tavis Ormandy, a security researcher at Google, and is not known to have been exploited by malicious actors.

What to do

The immediate action in response to this exposure is to conduct a security risk assessment of any systems and applications that may have been exposed to the affected Cloudflare services―either directly or indirectly, including those third-party systems on which your organization may rely. It is important to remember that your systems may ultimately rely on Cloudflare through a third party, even if you do not know of any direct relationship with Cloudflare. A business decision then needs to be reached regarding appropriate remediation, including changing potentially affected passwords, API keys or other sensitive information.

Beyond the technical response, companies also need to be prepared with clear, consistent customer messaging. The potential reputational damage of a poorly constructed response to customer inquiries could be more damaging than the actual technical risk. This is especially important for companies whose sites have been published as among those known to be affected by the issue, and/or to use Cloudflare services, whether they are known to have been affected or not.

Finally, this event should also serve as a reminder to develop or update your company’s incident response plan, including technical, public relations and legal considerations, and to schedule regular exercises to ensure your emergency response teams are best prepared to handle this or any future crisis.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.