Cloudflare User Data Leak (Uber, OKCupid, Fitbit User Data Compromised)

As reported by several news organizations, several major consumer-facing organizations – including Uber, Fitbit, 1Password and OKCupid – were impacted by a ‘memory leak’ vulerability suffered by Cloudflare – a content delivery network and Internet security services provider.  IT security experts from Prevoty and CipherCloud commented below.

Kunal Anand, CTO and Co-Founder at Prevoty:

“I’ve been following this very closely since it started percolating through various channels. Some folks are calling this “CloudBleed” – the high level story is that there was a software bug that caused sensitive information to be leaked. Unlike typical sensitive information disclosure, this one is a little different in that search engines and other crawlers started picking up this information without even realizing it. Reputable companies like Google are taking the extra step to purge their search caches for this sensitive information. Other companies, particularly those funded by nation states have not been transparent about how they’ll deal with the information. A lot of popular internet companies/operators have been affected – and unfortunately they’ll have to be the ones working directly with customers and giving them the bad news. All affected sites/services need to destroy all HTTP sessions and potentially do API key as well as password resets across the board. There’s been a very big move to the cloud and centralized security infrastructure – I think this will give security teams at the Fortune 500 companies some pause and headaches as they plan their security roadmap.”

David Berman, Senior Director, Product Marketing at CipherCloud:

“Third-party data leak risk is a constant concern for consumer facing businesses and enterprises.  And while most third-party providers support best practices like SSL for data-in-transit and data-at-rest encryption for storage, a huge gap exists for “data in use” including sensitive information like PII, IP addresses, keys, tokens and passwords.  A persistent, data-centric approaches to encryption can mitigate the risk of third-party data leaks such as this one.”