[79d697i6fdif]

In total, between 22 September 2016 and 18 February 2017 we now estimate based on our logs the bug was triggered 1,242,071 times.

Wow, so just as bad as we thought.

We did not find any passwords, credit cards, health records, social security numbers, or customer encryption keys in the sample set.

BUT WAIT, THERE'S MORE

The sample included thousands of pages and was statistically significant to a confidence level of 99% with a margin of error of 2.5%.

Oh, so it could actually be as a high as 2.5% leaking encryption credentials. And if none of the data was found to leak anything sensitive where the fuck is the dataset? I've been around way too long to take a "study" like this at face value without third party verification.

I also enjoy the straight up lie at the end:

We are continuing to work with third party caches to expunge leaked data and will not let up until every bit has been removed.

That sounds great right? Well, its too bad that a lot of 'third parties' are a box sitting on the corporate network edge that hasn't been touched in 5 years. Deleting all of this data from third party caches is not physically possible. In fact it might actually make things worse because it's destroying evidence of which credentials were leaked.

[dsl]

> We are continuing to work with third party caches

One of the caches they worked with was Baidu, which has direct ties to Chinese intelligence. Just because it isn't publicly available doesn't mean people aren't still pouring over it looking for useful data.

[79d697i6fdif]

Also, a lot of web spiders are not benign. All sorts of bots troll the internet looking specifically for data leaks like publicly visible email addresses and SSN's. I'm sure they're having a field day.

[dahdum]

1.2 million page views over 5 months is almost nothing for the amount of traffic going through Cloudflare.

[mikeash]

It seems to me that the absolute number is what's relevant, not how it compares to the total amount of traffic. That's 1.2 million potential data leaks. That's it "out of a bazillion" doesn't change it.

[user5994461]

Correction: It's 1.2 million definitive leaks.

The only question is what is in these leaks exactly.

[79d697i6fdif]

And 1.2 million people dying is nothing compared to the number of people on the earth.

IMO a leak this bad should be enough to sink cloudflare. A provider of SSL was randomly spitting out private data onto public websites. OVER A MILLION TIMES. Entire CA's have been shut down for leaking a couple hundred certificates. This has leaked private data over a million times, cloudflare is a joke

[dahdum]

> And 1.2 million people dying is nothing compared to the number of people on the earth.

A != B

[Artemis2]

For reference, two years ago Cloudflare was serving more than three million requests per second[0]. I can only imagine this figure has gone up a lot.

0: https://youtu.be/LA-gNoxSLCE?t=2m33s

[ProAm]

If you are this concerned, change your credentials.

[zulln]

Password would not help if session cookie is leaked. In many instances you cannot do anything towards that, as many services do not have any "logout all"-feature.

[dlubarov]

It's good practice to destroy all sessions (besides the current one) when a password is changed, since a password change suggests that the old password may have been compromised. Not sure how many websites do that in practice, though.

[gommm]

And this is why I changed the key I use for cookies on the application I had that was behind Cloudflare. This triggered all users to be logged out and invalidated any session cookie out there.

So, yes, responsible websites can mitigate session cookies being leaked.

That said, I am not impressed by Cloudflare's transparency which in this case consists of downplaying things, blaming Google and Taviso and not really taking responsibility.

[ars]

On sites I write, I hash the hash of the current password into the session key. That way if you change your password all sessions are invalid, even if you change your password to itself.

[79d697i6fdif]

So every website that uses cloudflare should ask their users to change all of their passwords, credit card numbers, and SSN's?

This leak is being downplayed by webmasters because it's so incredibly bad that there's no way of handling it. The credentials of practically any internet user could have been leaked. The only "safe" way to handle this is to give everyone in the US new credit cards and SSN's and to reset accounts and security questions for every user on a site with cloudflare

[ProAm]

No but judging by how much you are freaking out in the comments, I was recommending you to change yours. Im not really sure what you want anyone else to do? It seems like you are just screaming at your monitor over something that while a significant bug isn't a huge deal. This is just basic risk management.

[theGimp]

Credit cards and SSNs are regularly compromised. The real problem is that they are used as an authentication mechanism. That's what we should be concerned about.

This issue is a drop in the bucket when it comes to the amount of sensitive data leaked.

[bifrost]

1.3m pages served with "Extra" data is miniscule considering the number of actual pages served. Ideally you'd have no pages served but when you've got a bugproof technology the world will be your oyster.