[Warning][Cloudbleed bug] Change your passwords & 2FA & API keys

[DomainMagnate]

I have changed my password as soon as I got email regarding this bug.I haven't received any email from yobit, c-cex etc and I wonder if they use cloudflare or not.

[1714841150]

1714841150

[1714841150]

1714841150

[1714841150]

1714841150

[neochiny]

--

1.How does that contribute to any discussions here ? Off-Topic Much ?
2.We're suppose to be talking about services using Cloudflare and not password managers..
3.Not every site.The sites which are prone to DDos do.Finally people can stop using that crap.
4.Not anytime soon.Neither is a feature request on the new forum.

1.What, I can't comment on a point in his post I find interesting? As for topic, SEE the hr line?
2. <sigh> Nitpick-much? Should I rearrange my post and place the middle part on top to stop your fussing?
3.Hence the word 'Almost'. And finally, the only part of your post that's got anything to do with the 'topic'.
4.Ahuh. Whatever you say.
As for topic ( in case there's another fuss),
the bug's been there for months(September last year), Cloudflare was clueless, and for the bug to be found and reported by someone from Google?  

Anyway, for anyone who hasn't done so yet, make sure to change your account's password and activate 2fa if possible.

Remember to make your passwords strong and never reuse on multiple sites.
(You could use password managers or make hard copies to keep track of your account details.   )
 

[Coding Enthusiast]

Sound advice. It's worth adding that if you previously set up shared secret 2FA between 2016-09-22 and 2017-02-18 on one of the affected sites you should get a new secret in addition to changing your password. Usually disabling and reenabling 2FA is the way to do that.

Good idea, added "Change 2FA" and "API keys" to the subject and in the TL;DR with red font.

[Kprawn]

Holy Shit, a lot of big sites has been affected : 4,287,625 possibly affected domains. Some of these like Fiverr and Uber  are also on the list.

Damn, this is a major oversight on their side, and I think a bunch of these sites are going to cancel their membership after this. You think you are

relatively safe, and then something like this happens. 

[Yakamoto]

Shit, gonna have to go and change my blockchain API.

I'm glad this was caught relatively sooner rather than later, but it's a shame there is another issue of this kind.

Luckily I don't have anything of considerable value stored on anything there, maybe $10 across all the affected sites you mentioned. Either way, better to be safe rather than sorry.

[~Bitcoin~]

You can add cubits.com and nicehash.com on the list, i have got email from both of them about cloudbleed this week. I have changed password in most of the site that have cloudflare.

[South Park]

--
I have to start using a password manager to deal everything now which i have been avoiding all this while.

Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.
Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.
Decided to go old school instead and keep a hard copy.   Nothing better than pen and paper.  
Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  
I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

Open source password managers are not so bad, you know you are the only one holding your passwords, the file where the passwords are contained is encrypted and you need a master password, if you like better to have a hard copy there is not a problem but password manager can save lots of time.

[e-coinomist]

I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

Nope. There allready is something far superior active. You can add a BTC address onto your profile (or post it somewhere (there's a thread for that where people quote those postings for tamper proofness)) and if THAT breaks, the whole Saga is over anyways.

2FA usually just adds an Android cellphone and everybody of us knows those aren't adding to your security but substracting from it.

[tiggytomb]

Nice thread, I was looking for a list of all the sites that might be affected and I didn't see one until just now.  It's always a good idea to have 2FA enabled on all accounts.

[bitcoinvest]

I had account to exchange that is using cloudbleed very good for me i am around this forum all day long and had information from here 1st...

After 1-2 days email arrived from exchange to change password and OTP also

I really can't believe that up to now... some years before the OTP was announced to be something like unbreakable and here we are

Over the past 5 years from the experience we have in every day using computers ( no matter the level) i understood one thing...the only unbreakable is the BTCitcoin

But anyway, in the community we not hear anything bad from this bug to any exchange happening etc... so all is good !