Cloudflare today said approximately 150 of its customers across its Free, Pro, Business, and Enterprise plan faced leak of sensitive information through third party caches, such as the Google search cache — due to a bug.
Cloudflare co-founder and CEO Matthew Prince in a blog post said the company “has resolved the bug within hours of reporting to us.”
Cloudflare said there was a risk that some of its customers’ sensitive information could be available through third party caches, such as the Google search cache. Cloudflare said the memory leak was caused by a serious bug that impacted Cloudflare’s systems.
Over the last week, Cloudflare worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. “We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data,” Matthew Prince said.
Matthew Prince said Cloudflare reached out to these affected customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.
Since Cloudflare has patched the bug, it stopped leaking data. “However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found,” Matthew Prince said.
Cloudflare is yet to find any instance of the bug being exploited. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.