Warning: Massive data leak may have exposed your personal info from thousands of sites

Written by |

Another day, another data breach — and this time it involves a security flaw found in a major web services company used by millions of websites — which means pretty much anyone who uses the Internet could have had their personal information exposed to the public in a whole lot of places.

Read more: 7 worst tax scams to watch out for

Security flaw leaked data from hundreds of websites

Cloudflare — a company that provides a content delivery network used by more than 5.5 million websites, along with Internet security services and distributed domain name server services — accidentally leaked customers’ personal and sensitive information for months.

Basically there was a bug on the company’s servers that allowed data to be leaked out when certain websites made connections that they have to make in order for you to see and use the sites the way you do. (Cloudflare explained the issue in a blog post with more technical details if you’re interested.)

Unlike many data breaches, this leak wasn’t a just one-time thing: sensitive data may have been leaking from major sites since September of last year, with the biggest impacted period between February 13 and February 18 (just last week), according to Cloudflare.

The leaked data included ‘private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,’ according to a Google security researcher who discovered the issue. ‘We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.’

Read more: This text message scam will steal your info

What caused the leak to occur

After Cloudflare was notified about the security flaw, the company said it disabled several new features that had caused the problem to occur — but it took about a week for its team to fully fix the issue and then announce the leak to the public.

‘Our natural inclination was to get news of the bug out as quickly as possible, but we felt we had a duty of care to ensure that search engine caches were scrubbed before a public announcement,’ the company said in the blog post.

To give you some context, caching is primarily used to make websites load faster, but when you get into all the technical details, there’s a lot more to it. A web cache system also stores copies of information and documents that pass through the server — which is why a security flaw in the server is a big problem.


Here’s a simple explanation from section.io, a website performance company, of how and why caching is used:

‘Every time you visit a web page, you are using your web browser to request and assemble that page from the website’s server. The server holds all the files needed to assemble that web page, including the HTML doc (instructions to build the rest of the page), the images, text, styling, and more. On average, your browser makes upwards of 100 requests back and forth from the website’s server to build a complete webpage.

So basically, whenever you return to a site you’ve visited before, the cached memory allows the site to load faster, providing a better user experience.

Here’s another explainer from section.io about how servers come into play when it comes to websites’ stored data:

‘Web pages are also sometimes cached closer to the website server, rather than on your personal computer. When a website installs a cache on top of their server, they are keeping copies of the relevant files and instructions in that cache. When your browser requests data from the website server, it hits the cache first, and if the cache has a recent copy of the web page you requested, the cache delivers the assembled content directly to your web browser so your browser doesn’t have to travel back to the server. ‘

Websites that may have leaked your data

The Google researcher pointed out in a recent Tweet that major sites including Uber, 1Password, FitBit and OKCupid were affected — meaning users’ data and activity on these sites (that are supposed to be secure) were actually leaked. 

A big problem for consumers is that a commonly used strategy to know if a site is secure is by looking for ‘https’ at the beginning of the URL — which indicates that the page is protected by security measures designed to keep hackers from accessing sensitive data stored on the site.

But in this case, even sites protected by https security measures were affected.​

There’s a tool called Does It Use Cloudflare which will tell you if a certain website has been affected. The tool indicates that many popular sites like Facebook, Google, Amazon, and Twitter were not affected by the data leak.

But considering the fact that more than 5.5 million websites use Cloudflare services, your data may have been leaked from other sources. There’s also an unofficial list of affected sites you can check to see if your data could have been exposed.


How to protect your information online

Although Cloudflare says the search engines affected have fixed the leak, reports claim that exposed data can still be found with a simple online search — meaning sensitive data is still floating around out there.

And since it still isn’t entirely clear what exact data was actually leaked, it’s crucial that you take steps to protect yourself and your information.

The safest solution for you in terms of protecting your data is to change your passwords.

You can use a password manager (one that doesn’t use Cloudflare) to keep track of all of your passwords, as well as to generate unique passwords for each site you use. You should also set up two-factor authentication for any account/website that offers the extra security.

Resources to help you protect yourself online:

Reminder: The dangers of using common passwords

Despite all the warnings and horror stories about fraud and identity theft, many people ignore the risks associated with using words like ‘password’ as their password — usually with the underlying thought: Why would someone want to steal my password?’

Well, when it comes to scammers and thieves, you are no different than the next person — and the latest data leak if proof of that.

Scammers are looking for any information they can get from you — and a new report from security firm Keeper reveals just how insecure many people’s accounts really are.

Read more: 5 ways to keep your information safe from hackers

After analyzing 10 million leaked passwords, the study found that 17% of people are using ‘123456’ to secure their accounts — which, of course, is about as far from secure as you can get.

A few other alarming trends:

  • 4 of the top 10 passwords are 6 characters or shorter.
  • Many users are using passwords like “1q2w3e4r” and “123qwe” — combinations that ‘dictionary-based password crackers’ can hack in just a few seconds.
  • “1234567,” “12345678,” “qwerty,” and “111111” also made the list.

The analysis found that more than 50% of people are using the top 25 most common passwords.

Bottom line: If your passwords include any of the words below, in any combination, it’s time to change them!

Top 25 most common passwords

1. 123456
2. 123456789
3. qwerty
4. 12345678
5. 111111
6. 1234567890
7. 1234567
8. password
9. 123123
10. 987654321
11. qwertyuiop
12. mynoob
13. 123321
14. 666666
15. 18atcskd2w
16. 7777777
17. 1q2w3e4r
18. 654321
19. 555555
20. 3rjs1la7qe
21. google
22. 1q2w3e4r5t
23. 123qwe
24. zxcvbnm
25. 1q2w3e

Read more: How to safely store (and remember) your passwords

If your password is on this list, it’s time to change it

A report released last year by SplashData revealed similar results regarding just how susceptible people are to hackers.

The ‘worst’ passwords list combined compilations of passwords that were leaked during 2015, in order to find the most popular and widely-used security phrases.

So, again, this means if any of your passwords are on this list, you’re making it a whole lot easier for thieves to guess their way into your accounts.

Worst passwords

1. 123456

2. password 

3. 12345678 


4. qwerty 

5. 12345 

6. 123456789 

7. football 

8. 1234 

9. 1234567 

10. baseball 

11. welcome

12. 1234567890

13. abc123 


14. 111111 

15. 1qaz2wsx

16. dragon 

17. master 

18. monkey 

19. letmein 

20. login

21. princess 

22. qwertyuiop 

23. solo 


24. passw0rd 

25. starwars 

Read more: Easy way to know if your account has been compromised

How to spot a fake retail website