Top

Passwords and private messages of MILLIONS of Uber, Ok Cupid and Fitbit users leaked for months

Internet security firm Cloudflare has suffered a bug that saw hundreds of thousands of webpages leaking personal data such as passwords and personal messages.

The leak leaves millions at risk of being hacked or having their private conversations, including chats on dating websites, leaked across the web.

There is no sign yet that the prolonged leak, which lasted for months, was exploited by hackers, Cloudflare said.

The bug, known as Cloudbleed, is said to be a fundamental software issue in Cloudflare’s coding, which has now been fixed.

The California company helps 6 million websites push their content around the internet, including Uber, Ok Cupid and Fitbit.

A list of all of the websites affected by the leak has been published online.

In a blog post, Cloudflare said that the bug leaked website password, cookies and authentification tokens, posted in plain text online.

Cloudflare is a content delivery network that spreads the millions of sites it hosts across the Internet.

It does this to put the sites closer to customers while at the same time reducing their exposure to the so-called Distributed Denial of Service attacks that could knock them offline.

The data leak was attributable to a bug in the firm’s software that had been sending chunks of unrelated data to users’ browsers when they visited a webpage hosted by Cloudflare, according to Google researchers.

Cloudflare Chief Technology Officer John Graham-Cumming said the problem had been fixed quickly and most of the exposed data removed from the caches of search engines like Alphabet’s Google.

‘We’ve seen absolutely no evidence that this has been exploited,’ he told Reuters by phone.

‘It’s very unlikely that someone has got this information.’

The leakage may have been active from September, but the period most affected was from February 13 until it was discovered on February 18.

At its height earlier this month, Graham-Cumming said, about 120,000 webpages were leaking information every day.

Some of this data included ‘private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings’ as well as cookies, passwords and software keys, Google security researcher Tavis Ormandy, who discovered the bug, wrote in a forum.

Mr Ormandy also wrote on Twitter that data from ride-sharing service Uber and cloud password company 1Password had been leaking.

An Uber spokesperson told MailOnline: ‘No Uber passwords were exposed and the handful of session tokens affected have since been changed.’

AgileBits, the maker of 1Password, denied in a blog post on Thursday that any personal data had been compromised.

Mr Graham-Cumming said it was difficult to say which of Cloudflare’s six million websites had been affected.

He said that Google and Cloudflare had been working together to remove any sensitive data from the store of webpages that search engines like Google collect when they index the web.

He said that process was not yet complete, which is why some researchers were still finding data if they knew where to look.

Some security researchers have said the problem is more serious than Cloudflare has described.

Jonathan Sublett of internet security company Shield Maiden said in a blog post that anyone who accessed sites that used Cloudflare ‘should consider their data public and work towards securing their accounts’.

Graham-Cumming said it was difficult to say which of their customers were affected.

‘There will be a debate about how serious this is,’ he said.

‘We do not know of anybody who has had a security problem as a result of this.’

This website crafted by TCG Design © 2017