[Warning][Cloudbleed bug] Change your passwords & 2FA & API keys

[Coding Enthusiast]

I don't see anyone talking about this here so I'll start it here because of its importance and move it to services discussion later.


TL;DR: Bitcointalk is not affected, there is a small chance exchanges and web wallets are affected. To be safe change your password and enable 2 Factor Authentication if you already had a 2FA key change that too also generate new API keys if you were using those too.

You may have heard about the Cloudflare bug that leaked lots of sensitive information if not read more about the details here:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

In any case you should change all your passwords on services that were using Cloudflare and are affected by this bug in order to be safe. You can see more information and the list of affected services here:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

Also there is a website to check if a website was using Cloudflare (not sure how reliable it is):
http://www.doesitusecloudflare.com/

Name	|	Uses cloudflare (May Be Affected)
Bitcointalk	|	No (does not use Cloudflare)
Bitstamp	|	No (does not use Cloudflare)
Blockchain.info	|	YES
Bitfinex	|	YES
Coinbase	|	YES
Localbitcoins	|	YES
Poloniex	|	YES
Bittrex	|	YES
Kraken	|	YES
Bitpay	|	YES
Btc-e	|	YES
Cex.io	|	YES
C-cex	|	YES
Yobit	|	YES

* These sites may or may not be affected by the bug, but it is safer if you change your password immediately and enable 2FA. Better safe than sorry
** Just checked a couple of gambling sites, and they all use Cloudflare. Not going to list them here since they are of less importance but you have been warned.

Help me complete the table.

[Dudeperfect]

Thanks for coming up with this warning, I was not using 2FA for some sites but it seems that there is no alternative option especially when there is such kind of possibility of leakage of confidential data. I was wondering why Theymos is not using CloudFlare like services on bitcointalk but after this incident, I got my answer. Bitcointalk and we as a community can not afford to lose our data.

[Decoded]

Hahahahahahaha!

Revived like 8 emails this morning regarding this issue. Wondering if bitcointalk used CloudFlare. I remembered seeing a post by Theymos in the past about him not wanting to use CloudFlare due to security issues, and him saying that he'd rather handle the DDoS attacks himself.

Hey, we may not all love everything that he does, but you gotta give him some credit. Nice.

[Pattberry]

It is just a bummer to hear a major flaw in cloudflare which leaks every sensitive data online.The very fact that everyone uses these third party protection to safe guard our privacy and what a mess up it has created.I have to start using a password manager to deal everything now which i have been avoiding all this while.

[eaLiTy]

Hats off to Theymos for sticking to his decision on not using cloudflare because of the same security reason he envisioned long back when every one was asking to add cloudflare to protect from DDOS. Change all the passwords to be safe and enable 2FA to safe guard all your accounts .Majority of the sites use cloudfare ,so check that out and change the passwords to be on the safe side.

[neochiny]

--
I have to start using a password manager to deal everything now which i have been avoiding all this while.

Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.
Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.
Decided to go old school instead and keep a hard copy.   Nothing better than pen and paper.  
Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  
I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

[devans]

In any case you should change all your passwords on services that were using Cloudflare and are affected by this bug in order to be safe. You can see more information and the list of affected services here:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

Sound advice. It's worth adding that if you previously set up shared secret 2FA between 2016-09-22 and 2017-02-18 on one of the affected sites you should get a new secret in addition to changing your password. Usually disabling and reenabling 2FA is the way to do that.

[lol3c]

is it truth that most of third party services password have been leaked? That is terrible.. People can lose up to a thousand of Bitcoin. Thanks for sharing this information. I will change my password asap and start announcing this news to my friends. Damn it. It should never trust coinbase again

[maku]

I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

Bitcointalk was hacked before and sensitive data was leaked, in cases like that 2FA is not helping at all.
We know that Cloudflare issue caused a leak of approximately 0,00003% personal data but I wonder what that number really means.
I.e. what is the actual number of compromised accounts and how many passwords leaked: 1000 or 10000?

[Decoded]

--
I have to start using a password manager to deal everything now which i have been avoiding all this while.

Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.
Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.
Decided to go old school instead and keep a hard copy.   Nothing better than pen and paper.  
Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  
I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

They're implementing it in the beta forum, but who knows when that thing's coming out. It's been years.

Hats off to Theymos for sticking to his decision on not using cloudflare because of the same security reason he envisioned long back when every one was asking to add cloudflare to protect from DDOS. Change all the passwords to be safe and enable 2FA to safe guard all your accounts .Majority of the sites use cloudfare ,so check that out and change the passwords to be on the safe side.

Congrats, you copied my post, added a generic warning and got paid for it. Hats off to you. Im sure you haven't even read that post, and of course you won't read this one, you spammer. Ill take it all back if you actually read this, without having someone else notify you about this.

[Patatas]

Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.

How does that contribute to any discussions here ? Off-Topic Much ?

Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.

We're suppose to be talking about services using Cloudflare and not password managers..

Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  

Not every site.The sites which are prone to DDos do.Finally people can stop using that crap.

I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

Not anytime soon.Neither is a feature request on the new forum.

[maydna]

i've got the email from poloniex and bittrex too and its said that i should change my password and my 2FA because of security reason and i read the news about cloudflare that have a bug and the site that using cloudflare is potential for the attack. i already asked with poloniex and they request for their member to change their password and 2FA, just to make sure that their member is safe from the attacker. it is good that we know about this news so we can secure our account from the ataccker and we need to activate 2FA for our account.

[ko0ll0ove]

Luckily, I haven't received any mail from 2FA of any site yet but many thank to you, your alert is very valuable to me and I will change my password usually, in case of danger of cloudbleed bug.

[DoublerHunter]

I don't see anyone talking about this here so I'll start it here because of its importance and move it to services discussion later.


TL;DR: Bitcointalk is not affected, there is a small chance exchanges and web wallets are affected. To be safe change your password and enable 2 Factor Authentication.

You may have heard about the Cloudflare bug that leaked lots of sensitive information if not read more about the details here:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

In any case you should change all your passwords on services that were using Cloudflare and are affected by this bug in order to be safe. You can see more information and the list of affected services here:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

Also there is a website to check if a website was using Cloudflare (not sure how reliable it is):
http://www.doesitusecloudflare.com/

Name	|	Uses cloudflare (May Be Affected)
Bitcointalk	|	No (does not use Cloudflare)
Bitstamp	|	No (does not use Cloudflare)
Blockchain.info	|	YES
Bitfinex	|	YES
Coinbase	|	YES
Localbitcoins	|	YES
Poloniex	|	YES
Bittrex	|	YES
Kraken	|	YES
Bitpay	|	YES
Btc-e	|	YES
Cex.io	|	YES
C-cex	|	YES
Yobit	|	YES

* These sites may or may not be affected by the bug, but it is safer if you change your password immediately and enable 2FA. Better safe than sorry
** Just checked a couple of gambling sites, and they all use Cloudflare. Not going to list them here since they are of less importance but you have been warned.

Help me complete the table.

Thanks for this update. This helps a lot of users from different site to be alert for this cloud bleed bug which can cause for leaking sensitive personal informations. This is a big deal issue and we all need to pay attention for this kind of issue to avoid getting hacked. As of now, I don't receive any emails notifications from my account but i will change password as soon as possible, thanks again OP for alerting us.

[naughty1]

really thank you for the warning on. I will change all your account information, and then set the security code 2FA. but I want to know why they are using CloudFlare, this is quite dangerous. what will happen if their users lose money, they are responsible or not ?

[layoutph]

Anyone knows what kind of vulnerability the Cloudflare exploit has? May I know why do we need to change our passwords?

[Bellator]

Thanks for this warning. Many people using this sites  that affected in cloudbleed bug will be aware now. I will change my password too, but Is this safe already if I change my password? Or I need to activate my 2FA security so that my account will be surely safe now? Or I need to do something ?

[Decoded]

Anyone knows what kind of vulnerability the Cloudflare exploit has? May I know why do we need to change our passwords?

It's obvious that they won't give you the exact details and nature of the bug no system is perfect, so there's bound to be more.

From the email that Kraken and poloniex sent me, the nature of the bug seems to be something to do with CloudFlare's reverse proxy system stuffing up. In very rare cases, secure HTTPS requests were able to be read, meaning things like passwords and 2fa keys could have been skimmed.

[kohavn]

I think i should change my password right now. Thank you for your information.

[tupentapper]

thanks for posting. I will change my password now