OT: Probably time to change your passwords

Submitted by Nobody Likes a… on

http://fortune.com/2017/02/24/cloudflare-leak-bug-sensitive-information/

So it looks like Cloudflare, a content distribution network, had been leaking data with a known exploit for a couple of weeks. I know MGoBlog, uses CloudFlare but I believe we’re safe because it is just static content hosted. However, they are a CDN for a lot of major sites including reddit. So better safe than sorry and just update those passwords. 

SituationSoap

February 24th, 2017 at 1:11 PM ^

Basically, you should assume that every password you currently use is compromised. Any website which would cause an "Oh shit, my life is getting a lot more complicated" reaction if someone were to get that password - change that password. 

PoseyHipster

February 24th, 2017 at 1:38 PM ^

There are a million different ways to skin this particular cat, but they're all vulnerable in one way or another.  My biggest tip is to never use the same password on more than one site with same login (i.e. your email).  If someone did hack MGoBlog, that may be embarrassing but not a huge problem, but if hacking MGoBlog gives them access to your account at Amazon, PayPal or a credit card?

I use a password store that is synched between my computers and my phone and generate random passwords for every login.

BornInA2

February 24th, 2017 at 1:20 PM ^

Significantly, 1Password uses CloudFlare. So if you're using it as a password manager, your master password could be compromised.

Hurray for shitty code qualtiy!

I Bleed Maize N Blue

February 24th, 2017 at 1:32 PM ^

Not according to this post.

 

No secrets are transmitted between 1Password clients and 1Password.com when you sign in and use the service. Our sign-in uses SRP [Secure Remote Password protocol], which means that server and client prove their identity to each other without transmitting any secrets. This means that users of 1Password do not need to change their Master Passwords.

emozilla

February 24th, 2017 at 2:13 PM ^

It was patched before it went public, and (most of) the cached results that contain potentially private information were purged before the disclosure. All in all, it's highly unlikely that you individually had any information leaked. Now, that's not to say you shouldn't change your passwords, but it's a far cry from Heartbleed where there were tens of thousands of servers leaking information to anyone who came calling after the public disclosure.

Aspyr

February 24th, 2017 at 2:30 PM ^

Whoever is the cloudflare account manager at mgoblog should receive an email from cloudflare where they will tell you if this website has been affected and what data has been exposed or if it hasn't

If it was or wasn't it would be good to know as many probably use the same email/password combination on other websites.

superstringer

February 24th, 2017 at 2:33 PM ^

So if, like, a really stupid comment/post goes up under my MGoBlog user account name, and maybe like it gets a bazillion negs and the post sends the account to Bolivia (or Venezuala or TRAPPIST-1h or whaterver)... can I defend myself and get all my MGoPoints back on the grounds it was the Russian hackers who did it???

bronxblue

February 24th, 2017 at 4:56 PM ^

My understanding was that the leak only occurred in 1 per 3.3M requests.  So it isn't a huge leak, though obviously you should still rotate your passwords.