Internet users have been warned to change their passwords after a web security firm admitted a software bug had led to the leaking of personal information from some of the world’s most popular websites.
The leak of data from websites hosted by Cloudflare means passwords and private messages sent on dating websites could have been accessed by hackers.
Cloudflare, which is used by websites including Uber, Fitbit and Ok Cupid, revealed the security breach last Friday but said there was no evidence hackers had exploited the leak.
“We’ve seen absolutely no evidence that this has been exploited,” Chief Technology Officer John Graham-Cumming told Reuters.
“It’s very unlikely that someone has got this information.”
But experts say the company could not be sure of the case and have warned internet users to change their passwords or risk hackers accessing their personal information.
No 1Password data was put at risk through the bug reported earlier today. https://t.co/S7G62Qw85Q
— Cloudflare (@Cloudflare) February 24, 2017
California-based Cloudflare helps six million websites protect and optimise their websites.
Professor Asha Rao, an information security expert at RMIT University, said there was “no way of knowing” the leak hadn’t been exploited by hackers.
She said she would “absolutely” recommend users changed their passwords.
“There are million of websites [that appear to have been compromised]. If you are on that list, you should definitely change your password,” Professor Rao told The New Daily.
A list of more than four million domains potentially compromised by the Cloudflare leak has been posted online.
It includes popular website domains such as:
The website ‘Does it use Cloudflare?’ also allows internet users to see if domains they visit could have been compromised.
Professor Rao said the issue was a “big deal”, despite the fact the company believed the leak hadn’t been exploited by hackers.
“But the fact that this has come out is a good thing. The more information we have the more we can be aware,” she said.
In a blog post last week, Cloudflare said passwords, cookies and other sensitive data had been leaked.
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” the company said.
“We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”
Nigel Phair, Director of the University of Canberra’s Centre for Internet Safety, told The New Daily there was a risk that hackers could use passwords obtained through the Cloudflare leak to access users’ other personal accounts.
That was because users often used the same login details across different social media and websites.
“I’m a believer that people should change their passwords at least twice a year anyway. The problem is people reuse their passwords across multiple logins,” he said.
“It’s when you start replaying those passwords on social media and other logins that a problem can arise. That’s what the bad guys are hoping for. If you’ve replayed these passwords across your Twitter, Facebook, Gmail accounts, that is the holy grail from them.”