Cloudflare Reports a Sensitive Memory Leak

In-depth post:

And this Discord blog post just about sums it up nicely:

It's advised to change passwords on all Cloudflare protected websites, seeing as this could have leaked cookies including session tokens.


1 Like

Fortunately the circumstances for the CloudFlare leak are very specific:

1) The page had to end in an open script or image tag

2) CloudFlare user had to have Email Obfuscation or Automatic HTTPS rewrite AND Server-Side Excludes which only fire if the end user's IP has a poor reputation.

To simplify it: only people who's IP has a poor reputation could have been affected, even then only if the page they were visiting had an open script or image tag.

Yes, you should update your passwords, it's a great idea to do that regularly regardless. At the same time, don't panic. Given the technical details, it's unlikely well-coded sites such as Level1Techs were impacted..


So we don't need to change our passwords here? ;-)


From my understanding, those are the conditions for triggering the leak. The data leaked however could be anything that was going through. Check the redacted examples in the google bug tracker:

Level1Techs is using cloudflare. So assume that your password here have been compromised. Yes the actual chance of your specific password being leaked is low. But it's like the russian roulette The best way to win is to not play.

tl:dr: Change your passwords. Now.


Here's a snippet from an email sent to CloudFlare Partners this morning:

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your customers' domains have not been discovered to expose data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your customers' domains during this search, we will reach out to you and your customer directly and provide full details of what we have found.

1 Like

Reading through a number of reports on this topic (Google - who found it, ArsT, Forbes) it looks like CloudFlare is understating to some degree the "possible" fallout. While it is true that the probability of any one individuals credentials being compromised is rather low, the random nature of the memory dumps, and worse still the caching, for almost 6 months, make it a very good idea to re-generate all of your passwords. It is the small group of unscrupulous actors who make a living out of trading and exploiting this data for personal gain that should be the motivating factor here.

And as stated previously numerous times .. it's good practice anyway.

L1T isn't affected by this. (this has been confirmed)



How has this been confirmed, if I may ask?

Too late, allready went through my monthly change.

Password security folks

1 Like

Wendell checked.

I learned that as long as you got the whole alphabet (upper and lower case including the wierd German four öäüß) and numbers. You only need to go for 16 to 26 places to be safe.

Also, to the interest of some of us on L1T, Discord, Patreon and Digitalocean use cloudflare. Source with link to download full list.