One frame from a video, a few words from a private message — these are the types of fragments that were leaked because of a glitch in the code of Cloudflare, the widespread internet security and website delivery service.
The company disclosed Thursday that the glitch, a bug known as "Cloudbleed," was discovered last week. Cloudflare has more than 5 million customers, including Reddit, OK Cupid and NASDAQ, who use the service to keep their websites secure and assist with accommodating traffic. The company said the bug affected 150 of those websites.
Cloudflare CEO Matthew Prince says its not necessary for people to change their passwords, even if they have accounts with any of the websites whose data was leaked. He talked to Marketplace Tech host Ben Johnson about what happened. Below are some edited excerpts from their conversation.
Matthew Prince: It was found when Google was crawling the internet and what they found was a whole bunch of anomalous data that showed up and we were able to see that what was happening was our data was leaking a tiny bit of information about a handful of our customers.
Ben Johnson: When you say customers, you mean websites — some of which we’ve heard of, right?
Prince: Yeah, there were about 150 websites that we were able to discover had some private data that was indexed by Google. This is very different from when you hear about Yahoo leaking hundreds of millions of passwords. The sort of real world analogy which makes the most sense to me is most hacking that you hear about is the equivalent of burglars breaking into your office and stealing your filing cabinets. This is more like you’re sitting in a bar and there were two executives next to you talking about something that you shouldn't have necessarily heard. It was much more ephemeral but that doesn't mean it wasn't potentially risky.
Johnson: It’s sort of like data that’s not secure. Are these passwords, are they user names, are they payment data on credit cards that have been input into websites that were your customers’? What are we talking about?
Prince: It could have been anything that flowed through our network at any given period of time, so a chat application, there maybe a fragments of conversations that appeared there. In a video streaming application, there many have been essentially a frame of a video. It would be the wrong reaction to say if you’ve used the internet at all two weeks ago, go change everything. I’m a customer of at least 10 percent of the 150 customers that we saw some private data for that was out there. I haven't changed any of my passwords today. And that's not because I’m being cavalier about it. It’s because it is much more likely that someone sitting next to you at a bar, watching you type your password in and writing it down than was there.
Johnson: Are you going to do anything different going forward or is this just something that happens sometime?
Prince: There will always be flaws in software. The thing that we’ve spent the last week thinking about is how do we go back and review old software that's been around a long time and seems to be working just find but may have some latent bug in it. So I think going back and reviewing that code is really important.
To hear the full interview, click on the audio player above.