Comment by dantiberian

With respect, the blog post buries the user with details. In my opinion, there should have been in bold at the top something like:

Title: Security report on memory disclosure caused by Cloudflare parser bug

(This is a security report, "incident" underplays this. Memory leak sounds a lot more innocuous than memory disclosure).

Data from any website that was proxied via Cloudflare since September 22, 2016 may have been leaked to third parties via a bug in Cloudflare's HTML parser. Operators using Cloudflare should:

* Invalidate session cookies

* Reset user passwords

* Rotate secrets

* Inform users that private data (chats, pictures, passwords, ...) may have been inadvertently leaked by Cloudflare.

* ...

Users using websites proxied by Cloudflare should:

* Reset their passwords

* Log in/out of sessions to remove session tokens

(Begin rest of post)

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. ...