Comment by rdl

8 years ago

Neither this thread nor the Cloudflare blog post include concise steps for customers who were exposed.

There's an argument for changing secrets (user passwords, API keys, etc.) for potentially affected sites, plus of course investigating logs for any anomalous activity. It would be nice if there were a guide for affected users, maybe a supplemental blog post.

(and yet again: thank you Google for Project Zero!)

8 comments

rdl

meowface 8 years ago

What can they even say? "Change everything" doesn't really work. Any potentially secret data to or from a server could have been exposed.

rdl 8 years ago

Yes, but in general keys provide ongoing access; sensitive data itself is more limited in scope. Keys, auth tokens, etc. would be what I'd focus on.

Kalium 8 years ago

Right there with you. I'm currently scrambling for remediation ideas. "Change everything" isn't tractable.

garblegarble 8 years ago
>I'm currently scrambling for remediation ideas. "Change everything" isn't tractable.
It's not easy to deal with but it is the best remediation available to you, given the exceptionally broad scope and months-long period where data was apparently leaking (the cloudflare blog post lists 2016-09-22 as the first date when leaks were possible)
- jstanley 8 years ago
  
  Change my name? Change my address? Change my date of birth? My mother's maiden name? My passport number?
  It's simply not possible to change all of the sensitive information that might have been leaked.
  
  2 replies →
nikisweeting 8 years ago

I'm scrambling to compile an list of impacted domains and some easy-to-understand instructions that I can send friends and family:
https://github.com/pirate/sites-using-cloudflare