Cloudflare is a service used by millions of websites across the internet. The CDN (Content Delivery Network) service, which also helps to streamline security functions of websites, was found to have a bug that exposed highly sensitive user data. Cloudflare wasted no time in fixing the bug once reported, although it is believed that the bug has been active sinse September.
The Bug was reported by Tavis Ormandy and you can follow his post on Google’s security blog for the full details.
It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later).
In short, Cloudflare had changed to a new parsing system, which exposed a flaw in their current code. HTML requests resulted in memory leaks (buffer issues), which were then being cached by search engines. The leaks were significant, however. Ormandy was able to view passwords from password managers, API keys, personal messages, hotel bookings, cookies, and a host of other personal information.
The best advice we can give you at this point is: Go ahead and change your passwords. You don’t know which of the sites you visit, use Cloudflare. And Cloudflare hasn’t determined, fully, how large the leak actually was or even if there were attackers out in the wild, taking advantage of the bug. Still, better safe than sorry.
NOTE: 1password, has refuted any claim that any of their data was lost due to the Cloudflare bug. They repeatedly insisted on Ormandy’s twitter feed that they have a multi-layered defense against this sort of leak and that their customers have not been compromised. Here is their blog post.