At iubenda we provide tools that allow websites and apps to comply with the law, so we thought it would be useful for you to understand how a data leak like "CloudBleed" should be handled.
What happened
CloudFlare, a popular CDN provider used by millions of websites, had a serious security leak. According to CloudFlare, a bug caused all websites using some specific CloudFlare features to potentially leak sensitive data, including passwords.
«Is my website affected?» Most likely YES if you're using CloudFlare
If you're using CloudFlare, your website is affected if you use the following features:
Since September 22, 2016, the Automatic HTTP Rewrites feature is affected
Since January 30, 2017, the Server-Side Excludes feature is affected
Since February 13, 2017, the Email Obfuscation feature is affected
According to CloudFlare, the bug causing the leak was fixed on February 18, 2017.
Check your CloudFlare setup and assess if you have been affected and beginning when.
«What should I do if my website is affected?»
The vast majority of jurisdictions require you to notify users of a potential data leak and take all necessary actions to mitigate it.
First, you should assess what data could have leaked. If you allow users to sign up and login, this is what you should do:
Assess when the bug first affected you according to the list above
Consider expiring all login tokens for the affected period
Consider forcing all users who logged in or signed up in that time span to reset their passwords
Warn your users about what happened
«My website wasn't affected, is there anything I should do?»
It's advisable that you check this list of websites using CloudFlare and consider changing the password of any accounts you may have there.
Feel free to share our blog post on Medium via twitter or facebook, which by the way was likely affected too.
Also check out our infographic on CloudBleed and share it via twitter or facebook.
What about iubenda?
We recently moved to Akamai, but were marginally affected nonetheless. We're thus automatically requesting that a small number of our users reset their passwords.