Comment by Kalium
8 years ago
Right there with you. I'm currently scrambling for remediation ideas. "Change everything" isn't tractable.
8 years ago
Right there with you. I'm currently scrambling for remediation ideas. "Change everything" isn't tractable.
>I'm currently scrambling for remediation ideas. "Change everything" isn't tractable.
It's not easy to deal with but it is the best remediation available to you, given the exceptionally broad scope and months-long period where data was apparently leaking (the cloudflare blog post lists 2016-09-22 as the first date when leaks were possible)
Change my name? Change my address? Change my date of birth? My mother's maiden name? My passport number?
It's simply not possible to change all of the sensitive information that might have been leaked.
I think I've settled on "change admin passwords, change any m2m auth credentials which don't require user intervention (API keys in apps, etc. should be rolled regularly anyway)"
Forcing individual end users to change their passwords is probably a net-negative. I might prioritize it if I have OTHER security improvements to roll out soon, though (2FA, upgrading auth infrastructure, other potential compromise, etc.).
I don't think anything else is really viable.
Bitcoin addresses/keys which transited Cloudflare probably should be updated, though, on the extremely off chance.
1 reply →
I'm scrambling to compile an list of impacted domains and some easy-to-understand instructions that I can send friends and family:
https://github.com/pirate/sites-using-cloudflare