Bitcoin Forum

I don't see anyone talking about this here so I'll start it here because of its importance and move it to services discussion later.


TL;DR: Bitcointalk is not affected, there is a small chance exchanges and web wallets are affected. To be safe change your password and enable 2 Factor Authentication if you already had a 2FA key change that too also generate new API keys if you were using those too.



You may have heard about the Cloudflare bug that leaked lots of sensitive information if not read more about the details here:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

In any case you should change all your passwords on services that were using Cloudflare and are affected by this bug in order to be safe. You can see more information and the list of affected services here:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

Also there is a website to check if a website was using Cloudflare (not sure how reliable it is):
http://www.doesitusecloudflare.com/

Name	|	Uses cloudflare (May Be Affected)
Bitcointalk	|	No (does not use Cloudflare)
Bitstamp	|	No (does not use Cloudflare)
Blockchain.info	|	YES
Bitfinex	|	YES
Coinbase	|	YES
Localbitcoins	|	YES
Poloniex	|	YES
Bittrex	|	YES
Kraken	|	YES
Bitpay	|	YES
Btc-e	|	YES
Cex.io	|	YES
C-cex	|	YES
Yobit	|	YES

* These sites may or may not be affected by the bug, but it is safer if you change your password immediately and enable 2FA. Better safe than sorry
** Just checked a couple of gambling sites, and they all use Cloudflare. Not going to list them here since they are of less importance but you have been warned.

Help me complete the table.

Thanks for coming up with this warning, I was not using 2FA for some sites but it seems that there is no alternative option especially when there is such kind of possibility of leakage of confidential data. I was wondering why Theymos is not using CloudFlare like services on bitcointalk but after this incident, I got my answer. Bitcointalk and we as a community can not afford to lose our data.

Hahahahahahaha!

Revived like 8 emails this morning regarding this issue. Wondering if bitcointalk used CloudFlare. I remembered seeing a post by Theymos in the past about him not wanting to use CloudFlare due to security issues, and him saying that he'd rather handle the DDoS attacks himself.

Hey, we may not all love everything that he does, but you gotta give him some credit. Nice.

It is just a bummer to hear a major flaw in cloudflare which leaks every sensitive data online.The very fact that everyone uses these third party protection to safe guard our privacy and what a mess up it has created.I have to start using a password manager to deal everything now which i have been avoiding all this while.

Hats off to Theymos for sticking to his decision on not using cloudflare because of the same security reason he envisioned long back when every one was asking to add cloudflare to protect from DDOS. Change all the passwords to be safe and enable 2FA to safe guard all your accounts .Majority of the sites use cloudfare ,so check that out and change the passwords to be on the safe side.

Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.
Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.
Decided to go old school instead and keep a hard copy.  ;D Nothing better than pen and paper.  ;D

---

Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  ::)

---

I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

Sound advice. It's worth adding that if you previously set up shared secret 2FA between 2016-09-22 and 2017-02-18 on one of the affected sites you should get a new secret in addition to changing your password. Usually disabling and reenabling 2FA is the way to do that.

is it truth that most of third party services password have been leaked? That is terrible.. People can lose up to a thousand of Bitcoin. Thanks for sharing this information. I will change my password asap and start announcing this news to my friends. Damn it. It should never trust coinbase again

Bitcointalk was hacked before and sensitive data was leaked, in cases like that 2FA is not helping at all.

---

We know that Cloudflare issue caused a leak of approximately 0,00003% personal data but I wonder what that number really means.
I.e. what is the actual number of compromised accounts and how many passwords leaked: 1000 or 10000?

They're implementing it in the beta forum, but who knows when that thing's coming out. It's been years.


Congrats, you copied my post, added a generic warning and got paid for it. Hats off to you. Im sure you haven't even read that post, and of course you won't read this one, you spammer. Ill take it all back if you actually read this, without having someone else notify you about this.

How does that contribute to any discussions here ? Off-Topic Much ?

We're suppose to be talking about services using Cloudflare and not password managers..

Not every site.The sites which are prone to DDos do.Finally people can stop using that crap.

Not anytime soon.Neither is a feature request on the new forum.

i've got the email from poloniex and bittrex too and its said that i should change my password and my 2FA because of security reason and i read the news about cloudflare that have a bug and the site that using cloudflare is potential for the attack. i already asked with poloniex and they request for their member to change their password and 2FA, just to make sure that their member is safe from the attacker. it is good that we know about this news so we can secure our account from the ataccker and we need to activate 2FA for our account.

Luckily, I haven't received any mail from 2FA of any site yet but many thank to you, your alert is very valuable to me and I will change my password usually, in case of danger of cloudbleed bug.

Thanks for this update. This helps a lot of users from different site to be alert for this cloud bleed bug which can cause for leaking sensitive personal informations. This is a big deal issue and we all need to pay attention for this kind of issue to avoid getting hacked. As of now, I don't receive any emails notifications from my account but i will change password as soon as possible, thanks again OP for alerting us.

really thank you for the warning on. I will change all your account information, and then set the security code 2FA. but I want to know why they are using CloudFlare, this is quite dangerous. what will happen if their users lose money, they are responsible or not ?

Anyone knows what kind of vulnerability the Cloudflare exploit has? May I know why do we need to change our passwords?

Thanks for this warning. Many people using this sites  that affected in cloudbleed bug will be aware now. I will change my password too, but Is this safe already if I change my password? Or I need to activate my 2FA security so that my account will be surely safe now? Or I need to do something ?

It's obvious that they won't give you the exact details and nature of the bug no system is perfect, so there's bound to be more.

From the email that Kraken and poloniex sent me, the nature of the bug seems to be something to do with CloudFlare's reverse proxy system stuffing up. In very rare cases, secure HTTPS requests were able to be read, meaning things like passwords and 2fa keys could have been skimmed.

I think i should change my password right now. Thank you for your information.

thanks for posting. I will change my password now

I have changed my password as soon as I got email regarding this bug.I haven't received any email from yobit, c-cex etc and I wonder if they use cloudflare or not.

1.What, I can't comment on a point in his post I find interesting? As for topic, SEE the hr line?
2. <sigh> Nitpick-much? Should I rearrange my post and place the middle part on top to stop your fussing?
3.Hence the word 'Almost'. And finally, the only part of your post that's got anything to do with the 'topic'.
4.Ahuh. Whatever you say.

---

As for topic ( ;D in case there's another fuss),
the bug's been there for months(September last year), Cloudflare was clueless, and for the bug to be found and reported by someone from Google?  ::)

Anyway, for anyone who hasn't done so yet, make sure to change your account's password and activate 2fa if possible.

Remember to make your passwords strong and never reuse on multiple sites.
(You could use password managers or make hard copies to keep track of your account details.  :P :P ;D ;D ;D)
 

Good idea, added "Change 2FA" and "API keys" to the subject and in the TL;DR with red font.

Holy Shit, a lot of big sites has been affected : 4,287,625 possibly affected domains. Some of these like Fiverr and Uber  are also on the list.

Damn, this is a major oversight on their side, and I think a bunch of these sites are going to cancel their membership after this. You think you are

relatively safe, and then something like this happens.  ::)

Shit, gonna have to go and change my blockchain API.

I'm glad this was caught relatively sooner rather than later, but it's a shame there is another issue of this kind.

Luckily I don't have anything of considerable value stored on anything there, maybe $10 across all the affected sites you mentioned. Either way, better to be safe rather than sorry.

You can add cubits.com and nicehash.com on the list, i have got email from both of them about cloudbleed this week. I have changed password in most of the site that have cloudflare.

Open source password managers are not so bad, you know you are the only one holding your passwords, the file where the passwords are contained is encrypted and you need a master password, if you like better to have a hard copy there is not a problem but password manager can save lots of time.

Nope. There allready is something far superior active. You can add a BTC address onto your profile (or post it somewhere (there's a thread for that where people quote those postings for tamper proofness)) and if THAT breaks, the whole Saga is over anyways.

2FA usually just adds an Android cellphone and everybody of us knows those aren't adding to your security but substracting from it.

Nice thread, I was looking for a list of all the sites that might be affected and I didn't see one until just now.  It's always a good idea to have 2FA enabled on all accounts.

I had account to exchange that is using cloudbleed :) very good for me i am around this forum all day long and had information from here 1st...

After 1-2 days email arrived from exchange to change password and OTP also :)

I really can't believe that up to now... some years before the OTP was announced to be something like unbreakable and here we are :)

Over the past 5 years from the experience we have in every day using computers ( no matter the level) i understood one thing...the only unbreakable is the BTCitcoin :)

But anyway, in the community we not hear anything bad from this bug to any exchange happening etc... so all is good !