Cloudbleed bug: Everything you need to know

The internet has a new security bug called Cloudbleed and it's pretty bad. We explain what it is, how it affects you and what you can do.

Patrick Holland Managing Editor
Patrick Holland has been a phone reviewer for CNET since 2016. He is a former theater director who occasionally makes short films. Patrick has an eye for photography and a passion for everything mobile. He is a colorful raconteur who will guide you through the ever-changing, fast-paced world of phones, especially the iPhone and iOS. He used to co-host CNET's I'm So Obsessed podcast and interviewed guests like Jeff Goldblum, Alfre Woodard, Stephen Merchant, Sam Jay, Edgar Wright and Roy Wood Jr.
Expertise Apple | iPhone | iOS | Android | Samsung | Sony | Google | Motorola | Interviews | Coffee equipment | Cats Credentials
  • Patrick's play The Cowboy is included in the Best American Short Plays 2011-12 anthology. He co-wrote and starred in the short film Baden Krunk that won the Best Wisconsin Short Film award at the Milwaukee Short Film Festival.
Patrick Holland
4 min read

Internet security suffered a major blow by a bug nicknamed Cloudbleed.

Patrick Holland/CNET

Cloudbleed is the latest internet bug that puts users private information in jeopardy. News of the bug broke late on Thursday, but there is already a lot of confusion about it and the actual impact it has on people's information.

We compiled this as a guide to Cloudbleed and how you should respond. News of Cloudbleed is ongoing, and we'll update this article as new issues arise. Check back for new information.

What is Cloudbleed?

Cloudbleed is the name of a major security breach from the internet company Cloudflare that leaked user passwords, and other potentially sensitive information to thousands of websites over six months. The Register describes it as "sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you're also handed the contents of the previous diner's wallet or purse."

The name comes from Tavis Ormandy of Google's Project Zero, who reported the bug to Cloudflare and joked about calling it Cloudbleed after the 2014 security bug Heartbleed.

Is Cloudbleed worse than Heartbleed?

At this point, no. As scary as any internet security breach seems, these were pretty different. Heartbleed affected half a million websites, whereas at this time only 3,400 websites are believed to have had the Cloudbleed bug.

But here's the potentially scary part. Those 3,400 websites leaked private data that came from other Cloudflare clients. So the actual number of websites actually affected could be much higher.

Is Cloudbleed still actively dangerous?

No. Think of Cloudbleed like a person surviving a heart attack. It's scary and it will require changes to prevent it from happening again. But the worst of it is over, for now.

If there is an upside to this story, it's that Cloudflare stopped the bug within 44 minutes of finding out about it and fixed the problem completely within 7 hours.

However, the bug is believed to have affected websites going as far back as September with the height of the breach occurring between Feb. 13 to 18. So there will be ripples of consequential fallout as companies learn about the bug and whether their customers' information was involved.

Who is Cloudflare?

Cloudflare provides essential internet infrastructure and security to millions of websites. On its website, Cloudflare lists Nadaq, Bain Capital, OKCupid, ZenDesk and Cisco among others under its "Trusted by" section.

Even though you might not be familiar with the name Cloudflare, chances are a website you've visited uses the company for security or information delivery.

What websites were affected?

At this point, we know that Uber, Fitbit and OKCupid were three directly affected, but there's thousands more.

In response to news of the leak, companies have taken to Twitter to acknowledge the bug and reassure their customers.

How many people are at risk because of Cloudbleed?

It's tough to say, but it's low. As I mentioned above, the peak of the Cloudbleed bug was between Feb. 13 to 18. In a post on the its website, Cloudflare states that during this time about "1 in every 3,300,000 HTTP requests through Cloudflare" potentially resulted in memory leakage. That statistic was further clarified to be about 0.00003 percent of requests.

What kinds of information was leaked?

When you look at the web address for a website you're on, sometimes you see "http" at the beginning. But when you're on a secure website, for example a bank or a password login screen, you'll see "https" at the beginning indicating that the page is secure.

Services like Cloudflare help move information entered on those "https" websites between users and servers securely. What happened here is some of that secure information was unexpectedly saved when it should not have been. And to make matters worse, some of the saved secure information was cached by search engines like Google, Bing and Yahoo.

So it could have been a username or a password, a photo or frames of a video as well as behind-the-scenes things like server information and security protocols. At this time, there is no indication that any of this information was accessed by hackers.

What should I do?


Two-step verification can help keep your accounts secure.

Jason Cipriani/CNET

To be honest, nothing you do now will undo what has happened. But there are things you can do to protect yourself from such things happening again before the next Cloudbleed-like incident happens.

The first thing to do is change the passwords for any of your accounts that use Cloudflare. Fitbit, OKCupid and Medium are a few, but you can find out if websites you use rely on Cloudfare with this tool.

And, if any of those websites or services offer two-step verification (sometimes called two-factor verification), use it. It ensures that even if someone were to get a hold of your password, they would not be able to access your account.

We also recommend contacting the companies of the sites and services you use and let them know your feelings about protecting your security and privacy. As worried about Cloudbleed as some people might be, companies will be pretty worried too and hearing from their customers can go a long way toward improving things for everyone.

What happens next?

Again, information about Cloudbleed became public as of February 23, and as we get new information about the bug we'll update this article.

Tech Culture: From film and television to social media and games, here's your place for the lighter side of tech.

CNET Magazine: Check out a sampling of the stories you'll find in CNET's newsstand edition.