Author

Topic: [Warning][Cloudbleed bug] Change your passwords & 2FA & API keys (Read 1563 times)

legendary
Activity: 1124
Merit: 1000
13eJ4feC39JzbdY2K9W3ytQzWhunsxL83X
I had account to exchange that is using cloudbleed Smiley very good for me i am around this forum all day long and had information from here 1st...

After 1-2 days email arrived from exchange to change password and OTP also Smiley

I really can't believe that up to now... some years before the OTP was announced to be something like unbreakable and here we are Smiley

Over the past 5 years from the experience we have in every day using computers ( no matter the level) i understood one thing...the only unbreakable is the BTCitcoin Smiley

But anyway, in the community we not hear anything bad from this bug to any exchange happening etc... so all is good !
legendary
Activity: 1848
Merit: 1000
Nice thread, I was looking for a list of all the sites that might be affected and I didn't see one until just now.  It's always a good idea to have 2FA enabled on all accounts.
legendary
Activity: 2380
Merit: 1085
Money often costs too much.
I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

Nope. There allready is something far superior active. You can add a BTC address onto your profile (or post it somewhere (there's a thread for that where people quote those postings for tamper proofness)) and if THAT breaks, the whole Saga is over anyways.

2FA usually just adds an Android cellphone and everybody of us knows those aren't adding to your security but substracting from it.
hero member
Activity: 2884
Merit: 794
I am terrible at Fantasy Football!!!
--
I have to start using a password manager to deal everything now which i have been avoiding all this while.
Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.
Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.
Decided to go old school instead and keep a hard copy.  Grin Nothing better than pen and paper.  Grin

Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  Roll Eyes

I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..
Open source password managers are not so bad, you know you are the only one holding your passwords, the file where the passwords are contained is encrypted and you need a master password, if you like better to have a hard copy there is not a problem but password manager can save lots of time.
legendary
Activity: 994
Merit: 1000
You can add cubits.com and nicehash.com on the list, i have got email from both of them about cloudbleed this week. I have changed password in most of the site that have cloudflare.
legendary
Activity: 1218
Merit: 1007
Shit, gonna have to go and change my blockchain API.

I'm glad this was caught relatively sooner rather than later, but it's a shame there is another issue of this kind.

Luckily I don't have anything of considerable value stored on anything there, maybe $10 across all the affected sites you mentioned. Either way, better to be safe rather than sorry.
legendary
Activity: 1904
Merit: 1074
Holy Shit, a lot of big sites has been affected : 4,287,625 possibly affected domains. Some of these like Fiverr and Uber  are also on the list.

Damn, this is a major oversight on their side, and I think a bunch of these sites are going to cancel their membership after this. You think you are

relatively safe, and then something like this happens.  Roll Eyes
legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
Sound advice. It's worth adding that if you previously set up shared secret 2FA between 2016-09-22 and 2017-02-18 on one of the affected sites you should get a new secret in addition to changing your password. Usually disabling and reenabling 2FA is the way to do that.

Good idea, added "Change 2FA" and "API keys" to the subject and in the TL;DR with red font.
hero member
Activity: 756
Merit: 503
Crypto.games
--
1.How does that contribute to any discussions here ? Off-Topic Much ?
2.We're suppose to be talking about services using Cloudflare and not password managers..
3.Not every site.The sites which are prone to DDos do.Finally people can stop using that crap.
4.Not anytime soon.Neither is a feature request on the new forum.
1.What, I can't comment on a point in his post I find interesting? As for topic, SEE the hr line?
2. Nitpick-much? Should I rearrange my post and place the middle part on top to stop your fussing?
3.Hence the word 'Almost'. And finally, the only part of your post that's got anything to do with the 'topic'.
4.Ahuh. Whatever you say.

As for topic ( Grin in case there's another fuss),
the bug's been there for months(September last year), Cloudflare was clueless, and for the bug to be found and reported by someone from Google?  Roll Eyes

Anyway, for anyone who hasn't done so yet, make sure to change your account's password and activate 2fa if possible.

Remember to make your passwords strong and never reuse on multiple sites.
(You could use password managers or make hard copies to keep track of your account details.  Tongue Tongue Grin Grin Grin)
 
hero member
Activity: 602
Merit: 500
I have changed my password as soon as I got email regarding this bug.I haven't received any email from yobit, c-cex etc and I wonder if they use cloudflare or not.
member
Activity: 89
Merit: 10
thanks for posting. I will change my password now
member
Activity: 84
Merit: 10
I think i should change my password right now. Thank you for your information.
legendary
Activity: 1232
Merit: 1030
give me your cryptos
Anyone knows what kind of vulnerability the Cloudflare exploit has? May I know why do we need to change our passwords?

It's obvious that they won't give you the exact details and nature of the bug no system is perfect, so there's bound to be more.

From the email that Kraken and poloniex sent me, the nature of the bug seems to be something to do with CloudFlare's reverse proxy system stuffing up. In very rare cases, secure HTTPS requests were able to be read, meaning things like passwords and 2fa keys could have been skimmed.
hero member
Activity: 826
Merit: 501
Thanks for this warning. Many people using this sites  that affected in cloudbleed bug will be aware now. I will change my password too, but Is this safe already if I change my password? Or I need to activate my 2FA security so that my account will be surely safe now? Or I need to do something ?
sr. member
Activity: 1372
Merit: 255
Anyone knows what kind of vulnerability the Cloudflare exploit has? May I know why do we need to change our passwords?
sr. member
Activity: 406
Merit: 250
really thank you for the warning on. I will change all your account information, and then set the security code 2FA. but I want to know why they are using CloudFlare, this is quite dangerous. what will happen if their users lose money, they are responsible or not ?
hero member
Activity: 2590
Merit: 644
I don't see anyone talking about this here so I'll start it here because of its importance and move it to services discussion later.


TL;DR: Bitcointalk is not affected, there is a small chance exchanges and web wallets are affected. To be safe change your password and enable 2 Factor Authentication.



You may have heard about the Cloudflare bug that leaked lots of sensitive information if not read more about the details here:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

In any case you should change all your passwords on services that were using Cloudflare and are affected by this bug in order to be safe. You can see more information and the list of affected services here:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

Also there is a website to check if a website was using Cloudflare (not sure how reliable it is):
http://www.doesitusecloudflare.com/

Name|Uses cloudflare (May Be Affected)
Bitcointalk|No (does not use Cloudflare)
Bitstamp|No (does not use Cloudflare)
Blockchain.info|YES
Bitfinex|YES
Coinbase|YES
Localbitcoins|YES
Poloniex|YES
Bittrex|YES
Kraken|YES
Bitpay|YES
Btc-e|YES
Cex.io|YES
C-cex|YES
Yobit|YES
* These sites may or may not be affected by the bug, but it is safer if you change your password immediately and enable 2FA. Better safe than sorry
** Just checked a couple of gambling sites, and they all use Cloudflare. Not going to list them here since they are of less importance but you have been warned.

Help me complete the table.
Thanks for this update. This helps a lot of users from different site to be alert for this cloud bleed bug which can cause for leaking sensitive personal informations. This is a big deal issue and we all need to pay attention for this kind of issue to avoid getting hacked. As of now, I don't receive any emails notifications from my account but i will change password as soon as possible, thanks again OP for alerting us.
full member
Activity: 182
Merit: 100
Luckily, I haven't received any mail from 2FA of any site yet but many thank to you, your alert is very valuable to me and I will change my password usually, in case of danger of cloudbleed bug.
hero member
Activity: 2912
Merit: 556
Enterapp Pre-Sale Live - bit.ly/3UrMCWI
i've got the email from poloniex and bittrex too and its said that i should change my password and my 2FA because of security reason and i read the news about cloudflare that have a bug and the site that using cloudflare is potential for the attack. i already asked with poloniex and they request for their member to change their password and 2FA, just to make sure that their member is safe from the attacker. it is good that we know about this news so we can secure our account from the ataccker and we need to activate 2FA for our account.
legendary
Activity: 1750
Merit: 1115
Providing AI/ChatGpt Services - PM!
Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.
How does that contribute to any discussions here ? Off-Topic Much ?

Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.
We're suppose to be talking about services using Cloudflare and not password managers..

Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  Roll Eyes
Not every site.The sites which are prone to DDos do.Finally people can stop using that crap.

I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..
Not anytime soon.Neither is a feature request on the new forum.
legendary
Activity: 1232
Merit: 1030
give me your cryptos
--
I have to start using a password manager to deal everything now which i have been avoiding all this while.
Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.
Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.
Decided to go old school instead and keep a hard copy.  Grin Nothing better than pen and paper.  Grin

Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  Roll Eyes

I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..

They're implementing it in the beta forum, but who knows when that thing's coming out. It's been years.

Hats off to Theymos for sticking to his decision on not using cloudflare because of the same security reason he envisioned long back when every one was asking to add cloudflare to protect from DDOS. Change all the passwords to be safe and enable 2FA to safe guard all your accounts .Majority of the sites use cloudfare ,so check that out and change the passwords to be on the safe side.

Congrats, you copied my post, added a generic warning and got paid for it. Hats off to you. Im sure you haven't even read that post, and of course you won't read this one, you spammer. Ill take it all back if you actually read this, without having someone else notify you about this.
legendary
Activity: 1288
Merit: 1000
I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..
Bitcointalk was hacked before and sensitive data was leaked, in cases like that 2FA is not helping at all.

We know that Cloudflare issue caused a leak of approximately 0,00003% personal data but I wonder what that number really means.
I.e. what is the actual number of compromised accounts and how many passwords leaked: 1000 or 10000?
hero member
Activity: 518
Merit: 500
is it truth that most of third party services password have been leaked? That is terrible.. People can lose up to a thousand of Bitcoin. Thanks for sharing this information. I will change my password asap and start announcing this news to my friends. Damn it. It should never trust coinbase again
sr. member
Activity: 528
Merit: 368
In any case you should change all your passwords on services that were using Cloudflare and are affected by this bug in order to be safe. You can see more information and the list of affected services here:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

Sound advice. It's worth adding that if you previously set up shared secret 2FA between 2016-09-22 and 2017-02-18 on one of the affected sites you should get a new secret in addition to changing your password. Usually disabling and reenabling 2FA is the way to do that.
hero member
Activity: 756
Merit: 503
Crypto.games
--
I have to start using a password manager to deal everything now which i have been avoiding all this while.
Yeah well, I've tried using one before but decided against continuing its use after some time. It's just an additional worry.
Frankly, couldn't stop worrying that the password manager I use would be the weak point, and then ALL of my accounts woulda been compromised.
Decided to go old school instead and keep a hard copy.  Grin Nothing better than pen and paper.  Grin

Almost every site uses CloudFlare nowadays. AND that bug has been there for months.  Roll Eyes

I wonder when bitcointalk would use 2fa. It would be great if they decide to implement it soon..
hero member
Activity: 2814
Merit: 911
Have Fun )@@( Stay Safe
Hats off to Theymos for sticking to his decision on not using cloudflare because of the same security reason he envisioned long back when every one was asking to add cloudflare to protect from DDOS. Change all the passwords to be safe and enable 2FA to safe guard all your accounts .Majority of the sites use cloudfare ,so check that out and change the passwords to be on the safe side.
sr. member
Activity: 448
Merit: 250
It is just a bummer to hear a major flaw in cloudflare which leaks every sensitive data online.The very fact that everyone uses these third party protection to safe guard our privacy and what a mess up it has created.I have to start using a password manager to deal everything now which i have been avoiding all this while.
legendary
Activity: 1232
Merit: 1030
give me your cryptos
Hahahahahahaha!

Revived like 8 emails this morning regarding this issue. Wondering if bitcointalk used CloudFlare. I remembered seeing a post by Theymos in the past about him not wanting to use CloudFlare due to security issues, and him saying that he'd rather handle the DDoS attacks himself.

Hey, we may not all love everything that he does, but you gotta give him some credit. Nice.
hero member
Activity: 1190
Merit: 534
Thanks for coming up with this warning, I was not using 2FA for some sites but it seems that there is no alternative option especially when there is such kind of possibility of leakage of confidential data. I was wondering why Theymos is not using CloudFlare like services on bitcointalk but after this incident, I got my answer. Bitcointalk and we as a community can not afford to lose our data.
legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
I don't see anyone talking about this here so I'll start it here because of its importance and move it to services discussion later.


TL;DR: Bitcointalk is not affected, there is a small chance exchanges and web wallets are affected. To be safe change your password and enable 2 Factor Authentication if you already had a 2FA key change that too also generate new API keys if you were using those too.



You may have heard about the Cloudflare bug that leaked lots of sensitive information if not read more about the details here:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

In any case you should change all your passwords on services that were using Cloudflare and are affected by this bug in order to be safe. You can see more information and the list of affected services here:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

Also there is a website to check if a website was using Cloudflare (not sure how reliable it is):
http://www.doesitusecloudflare.com/

Name|Uses cloudflare (May Be Affected)
Bitcointalk|No (does not use Cloudflare)
Bitstamp|No (does not use Cloudflare)
Blockchain.info|YES
Bitfinex|YES
Coinbase|YES
Localbitcoins|YES
Poloniex|YES
Bittrex|YES
Kraken|YES
Bitpay|YES
Btc-e|YES
Cex.io|YES
C-cex|YES
Yobit|YES
* These sites may or may not be affected by the bug, but it is safer if you change your password immediately and enable 2FA. Better safe than sorry
** Just checked a couple of gambling sites, and they all use Cloudflare. Not going to list them here since they are of less importance but you have been warned.

Help me complete the table.
Jump to: