Internet security breaches occur continuously, but most don’t have effects as far-reaching as those of the so-called Cloudbleed disaster. A Google researcher recently discovered a vulnerability in the code used by Cloudflare, which is one of the biggest Internet security firms in the world. Although the flaw in their code was tiny, it allowed for an unclear amount of sensitive data to leak out across the Internet. Many small business owners are right to question what effect Cloudbleed will have on the security of their company’s sensitive data and critical systems. While that answer is not entirely clear, the steps that small business needs to take to protect themselves.
First, let’s take a look at Cloudflare’s background. This Internet security giant has a long list of prominent clients, including Uber, 1Password, FitBit and OKCupid. Cloudflare’s menu of products includes everything from content delivery services to protection against DDoS attacks. So it is ironic that, given that many of Cloudflare’s services center around security, Google researcher Tavis Ormandy recently identified a vulnerability in Cloudflare’s code that causes bits of data to leak during certain processes; this leaked data includes everything from hotel bookings and chat messages to password manager data. In plain English, the leak occurred because Cloudflare’s software had to find a place to store user data once the correct location filled up. Instead of going where it should, Cloudflare’s leaked data ended up being stored on unsecured (and unrelated) webpages.
Knowing all of this, what steps should you take to secure your business’ sensitive data and critical systems? First, don’t bother trying to figure out if your passwords were among those compromised. While CloudFlare says that only a small amount of secure data was leaked, the vulnerability that allowed for this data leak lay undiscovered for six months; no one can say for certain how much data or which data was actually leaked. Furthermore, the nature of the leak means that lots of data may still be exposed even after Cloudflare has patched the issue, and even sites which are not Cloudflare clients could have some compromised data lurking on their servers. In short, trying to determine what sensitive data may have been exposed is a wild goose chase.
What your business should do is proceed as though your information may have been compromised. All of your employees should immediately change all passwords. Log out of any mobile applications after changing your passwords and then log back in. Most importantly, if you don’t already have two-factor authentication implemented, doing so should be your next step; two-factor authentication is not fail-safe, but it will offer your company the best line of defense against hacking.
Do you have questions about whether or not your business’ security protocols are robust enough to withstand threats?