[chm]

Some important parts:

    The examples we're finding are so bad, I cancelled some
    weekend plans to go into the office on Sunday to help
    build some tools to cleanup. I've informed cloudflare
    what I'm working on. I'm finding private messages from
    major dating sites, full messages from a well-known
    chat service, online password manager data, frames from
    adult video sites, hotel bookings. We're talking full
    https requests, client IP addresses, full responses,
    cookies, passwords, keys, data, everything.

    Cloudflare pointed out their bug bounty program, but I
    noticed it has a top-tier reward of a t-shirt.

    Cloudflare did finally send me a draft. It contains an  
    excellent postmortem, but severely downplays the risk
    to customers.

[rrdharan]

Connecting some dots, I'm wondering if the "well-known chat service" is Slack:

http://www.computing.co.uk/ctg/news/2462266/whatsapp-reddit-...

[Deimorz]

I'm fairly sure that it's Discord.

[PuffinBlue]

Yes, I found some leaked data referencing Discord still in Google's cache so I'd say it's them.

[b1naryth1ef]

Mind emailing me some details? az@discordapp

[PuffinBlue]

I didn't keep details, sorry. It was late (UK time) and I was attempting to get my own response out the door.

I saw three domains directly myself with compromised details:

android-cdn-api.fitbit.com

iphone-cdn-client.fitbit.com

api-v2launch.trakt.tv

I saw data relating to Discord whilst on various cached pages when I was looking at the above domains.

The pages are no longer available in Google's cache so I can't link to them.

Some cached pages had data from multiple sites all together, it was a mess.

[b1naryth1ef]

No worries, thanks for the response anyway!