Firstly, to call it a hack is probably wrong. But there are some big name websites that are known to use Cloudflare‘s services and probably some use it that we don’t know about yet.

Cloudflare hosts Uber, OK Cupid, and Fitbit, among thousands of others.

Due to the nature of Cloudflare’s services it works with a lot of the internet underworld, in addition to some big mainstream names.

A lot of the most popular sites affected host pornography and provide bitcoin services.

Scroll down for a full list of some of the biggest sites to be affected

Cloudflare sits between websites and internet users to help companies spread their websites and protect against DDoS attacks. This means Cloudflare handles a lot of traffic and sees a lot of information pass through its digital doors.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

A Cloudflare update around September is thought to be the source of the breach. It meant that passwords, cookies, and authentication tokens intended for one website are being returned to others unencrypted.

If you visited a website that uses Cloudflare you may have ended up getting chunks of someone else’s web traffic hidden in your browser page.

This data then made its way into the Google cache of pages and the hands of any potentially nefarious bots trawling the web, compounding the problem.

Over at tech news site The Register it was compared to “sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you’re also handed the contents of the previous diner’s wallet or purse”.

Due to the size of Cloudflare’s client base this is a big problem and will leave a huge percentage of the internet compromised. How much exactly is still not known. One company chief tech officer described the breach as “the worst I’ve ever seen”.

People are being advised to check all password managers and change all passwords, especially those used on these affected sites.

When was this discovered?

It was discovered a week ago by a Google researcher at the search giant’s Project Zero security team entirely by accident while he was looking through some search results.

He reached out on Twitter.

He then told Cloudflare so the company would have a chance to react before the bug was made public, as is standard practise when these things are discovered.

Cloudflare delayed — presumably to get a handle on the situation to try and take care of it underwraps and avoid the bad PR –  until Google forced their hand.

Notable sites that are known to use Cloudflare:

(via github)

  • authy.com

  • coinbase.com

  • betterment.com

  • transferwise.com

  • prosper.com

  • digitalocean.com

  • patreon.com

  • bitpay.com

  • news.ycombinator.com

  • producthunt.com

  • medium.com

  • 4chan.org

  • yelp.com

  • okcupid.com

  • zendesk.com

  • uber.com

  • namecheap.com

  • poloniex.com

  • localbitcoins.com

  • kraken.com

  • 23andme.com

  • curse.com (and some other Curse sites like minecraftforum.net)

  • counsyl.com

  • stackoverflow.com (not affected)

  • fastmail.com (not affected)

  • 1password.com (not affected)