You may never have heard of Cloudflare, but chances are it has heard of you. It's an internet service provider that handles about 10 percent of the world's web traffic and it's just learned that a "leak" in its system has exposed an unknown quantity of data to public view.
The flaw was first uncovered by Google vulnerability researcher Tavis Ormandy on February 17, but it could have been leaking data since as long ago as September 22, Wired.com reported.
Cloudflare's corporate clients include household names like Uber, Fitbit, and OkCupid, among many others, so there is potentially a lot of personal information at stake -- everything from user IDs and credit card numbrs to health data.
Company officials emphasize that the security flaw wasn't a hack job but rather a bug that allowed some data -- one in every 3.3 million page requests -- to be publicly visible on the web. That doesn't sound like much, but considering the billions of page requests routinely handled by Cloudflare each day, it could be significant.
It's hard to estimate just how serious the problem was, but it illustrates the risks involved in today's massive data storage and transmission systems, where even a well-designed and carefully maintained network can experience small problems that have a potentially big result.
In this case, Cloudflare officials are saying that although the data leaks were real, there's no evidence any of it was misused.
"We think it’s unlikely that someone actually spotted it and did something bad with it,” John Graham-Cumming, Cloudflare’s chief technology officer, said, according to a Wall Street Journal report.
What to do
The advice for consumers will sound familiar -- change your passwords. This is easier said than done, of course. Most of us have hundreds of passwords if we actually do what experts recommend, which is to have a separate password for each site we visit.
One consumer we know has a 19-page list of user IDs and passwords. He uses Lastpass to generate and store passwords but still encounters frequent incidents in which a single site -- Google, for example -- may require 20 or more passwords for separate accounts and functions.
It's devilishly hard to keep them all straight and the idea of changing all of them everytime there's another breach, hack, or leak becomes more than a little absurd.