Cloudflare DNS announced this morning that it suffered a security incident over the last few months that could affect a vast swath of the internet. It boils down to a since-repaired buffer issue that could potentially have exposed sensitive data, including website authentication tokens, to search engine caching.
Massively OP does utilize Cloudflare (you’ve probably seen it on those rare occasions our server hamsters go on strike) but we are not directly affected by the leak. “Your domain is not one of the domains where we have discovered exposed data in any third party caches,” Cloudflare told us, and our tech has assured me our site does not use the features imperiled by the bug.
However, a number of sites and services are, possibly including Patreon, which many of you use to help fund us, and Feedly, which many of you use to follow our feeds. These sites and services are not at fault, and none of those I use has contacted us about a breach, but you may wish to investigate further.
Cloudflare is not publicly revealing which domains might be affected, only that 150 were, but security experts have begun compiling lists of those potentially affected and those verified safe and those confirmed in the wild, and the list really does travel far and wide, from 4chan and Curse to Bungie and Discord. However, as the compilers note, “Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list,” so right now, everyone’s simply operating with an abundance of caution because there are thousands upon thousands of sites under the Cloudflare banner.
As these services are notified themselves, I assume they will notify users (if only to assure them they weren’t one of the 150), but in the meantime, experts are recommending password changes to be on the safe side. You probably had nothing better to do on Friday night than change hundreds of passwords, right?