By RJ Gazarek
First and foremost – Thycotic does not use Cloudflare for any of our cloud based products, such as Secret Server Cloud or our upcoming Privileged Behavior Analytics. We don’t anticipate our customers being affected by this directly, unless passwords used to access our services are the same as passwords used to access affected websites. It’s because of events like this that we recommend never using the same password in more than one location.
Why you should be concerned
Any traffic that has passed through Cloudflare in the last couple months may be public – including data that was transmitted over HTTPS.
Cloudflare is a website service that typically will sit between a website and a visitor. Cloudflare services are numerous, but they’re most well-known for blocking DDoS attacks on websites, and for ensuring that webpages load faster for visitors. When a website owner purchases Cloudflare’s services, they change some of their records to point all users to Cloudflare servers first, before they come to the website. So, as an example, when you type in Zendesk.com (a company that Cloudflare lists as a customer), you are actually pointed first to a Cloudflare server. Cloudflare quickly analyzes what page you are trying to get to and tries to determine that you are not a malicious visitor (among other things), and then either serves parts of the page up to you directly (like images) and forwards you to the final destination for everything else. This is meant to protect these websites from massive DDoS attacks, and to speed up the page load time for those websites.
Cloudflare is extremely popular and is used by over 1,000,000 domains around the world – and some of the biggest sites on the internet, such as: Reddit, DigitalOcean, Zendesk, Uber, and Fitbit (just to name a few).
A bug was discovered that was injecting a lot of private information (passwords, api tokens, private messages, PII data, hotel bookings, etc.) directly into the code of websites around the world. Cloudflare’s services had been doing this for a few months before this was discovered. Google’s search engines were caching these pages, and people were able to scrape the search engine for this information. Google has been working with Cloudflare to remove these cached pages, but it’s extremely important to note that Google is not the only search engine that crawls and caches webpages.
Now, it was only a certain aspect of Cloudflare’s services that was affected by this bug, but it was big enough to pose a very serious security event. Additionally, it’s hard for us to know exactly how much data was exposed, but given the concern and activity over this, it should be treated as a very serious event.
So now what?
IT and Security experts around the world are recommending that the only thing to do now is operate under “Assumed Compromise”.
1. Change all of your passwords… everywhere!
Change your work passwords, personal passwords, email passwords, bank passwords, everything!
2. Reset your Two Factor Authentication tokens
It is possible that the tokens that generate the 2FA codes could have been compromised, and it’s recommended to regenerate new 2FA codes for all of your 2FA devices/apps.
3. Monitor your credit report
This is always important to do, but can quickly alert you to any identity theft or more serious problems!
4. Don’t use the same password in more than one location!
If you’re using the same password in more than one account, you’re greatly increasing the chances of compromise. If an attacker is able to gain one of your passwords, they essentially will have access to all of your passwords and accounts.
5. Use a password manager to generate unique passwords for every account
You should be using a password manager both for your personal life and for your corporate passwords! If your company is not using a password manager, talk to your IT or Security team to see what it would take to incorporate one into your business.
6. Organizations should implement a Privileged Account Management solution
Chances are your on-premise network devices are not going to be affected by this, unless someone was using the same password for a personal account as they were for a work account. With a true PAM solution (like Thycotic’s Secret Server), you can automatically rotate every password on your devices with a click of a button – ensuring that you can quickly mitigate any potential vulnerabilities that could arise from a security event such as Cloudbleed.