| I think you're misinterpreting the comments about the scale of the leak. The risk that a concrete compromise would occur as a result was always pretty small. The bigger thing was the grandiose scale, the impact on administrators in having to rotate a significant number of credentials, and the hit to CloudFlare's reputation. A bug where you randomly dump random data without regard to its sensitivity or origin (i.e., data from completely unrelated sites could've been included in the dump), and have no way to tell what actually leaked, is the worst kind of privacy bug there is, precisely because it's impossible to triage. No one can ever know everything that actually got out. CloudFlare is now a major piece of internet infrastructure. It's impossible to know that anything sent through a CloudFlare server between Sept 2016 and Feb 2017 wasn't accidentally publicly leaked, and worse, non-trivial quantities of this data were being accidentally saved permanently in search indexes. Surely some bad actors have saved such results in their own private indexes as well. When CloudFlare says "your site was probably unaffected", they're making a guess, because they have no way to actually tell. They're just assuming that based on the volume of requests your CloudFlare endpoint receives and the volume of requests made to endpoints that exhibited this bug, content from your site probably didn't get out. But there's no way to know. If we take that seriously, it requires us to consider everything that went through a CloudFlare server as potentially publicized and preserved in the public record (including usually-transparent unique identifiers like session cookies/tokens). We then have to assume that an adversary obtained any and all such data, and respond as best as we can to preclude the possibility of that adversary exploiting the leaked secrets to harm our and/or our company's interests. Of course, the flip side of the sheer scale of this, and the fact that the bug was relatively rare and that there was no way to control what content it dumped, is that it's very unlikely any of your data specifically actually got leaked. If you and/or your company are OK with crossing your fingers and hoping this won't affect you, there is probably a 99.something-something-something% chance you'd be right. Most people have responded by resetting tokens/passwords for anything that uses CloudFlare, since that's relatively low-impact and most people were probably overdue for a credential recycle anyway, and have left it at that. This does clearly illustrate that the internet has a few de-facto junction points, which would be very high-value for an attacker. That's worth keeping in mind. |