Cloud Hosting

;

It's time to change your passwords one again, thanks to a potentially massive data leak.

Its once again time to change your passwords. A bug found in internet infrastructure company Cloudflares software has been leaking personal data including private chat logs and passwords from hundreds of thousands of websites for months.

Cloudflare, which offers hosting and security services to websites, hosts six million sites, including services like Uber, FitBit, OKCupid and password management program 1Password.

READ MORE: Average cost of data breach in Canada is $6.03M, study finds

According to Google researchers who discovered the bug, now known as Cloudbleed, the vulnerability had been sending chunks of data to users browsers when they visited a webpage hosted by the company. The bug may have been active since September 2016, but researchers say it was definitelyfrom February 13 until it was discovered on February 18.

Of the leaked data, researchers said they found private messages from dating sites, full messages from chat services, online password data, frames from adult video sites and hotel booking details.

READ MORE: Canadian Tire admits 5 days after breach customer info may have been accessed

WATCH ABOVE: One of Canadas largest in-store and online retailers has acknowledged it suffered a security breach forcing it to prevent customers from checking their points and credit card accounts. Sean OShea reports.

While the leak has the potential to be very dangerous for web users, the company said there is no evidence the data was accessed by hackers.

Weve seen absolutely no evidence that this has been exploited, Cloudflare Chief Technology Officer John Graham-Cumming told Reuters. Its very unlikely that someone has got this information.

Researchers said about 120,000 webpages were leaking information every day.Graham-Cumming noted the company has been working with Google to remove any sensitive data that may have been indexed by search engines.

The website doesitusecloudflare.com has already been set up, allowing users to search through services they have signed up for to see if they might be affected.

Unfortunately, its unclear just how many web users may have been affected by the Cloudflare bug. While the company has downplayed the severity of the leaked data and fixed the vulnerability itself, security experts warn there could still be fallout for those who use websites run by Cloudflare.

READ MORE: Ransomware on the rise in Canada How to protect your data

While Cloudflares service was rapidly patched to eliminate this bug, data was leaking constantly before this point for months. Some of this data was cached publicly in search engines such as Google, and is being removed, wrote security expert Ryan Lackey in a blog post.

Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations. There is always the potential someone malicious discovered this vulnerability independently.

Dating site OKCupid said its initial investigation revealed minimal, if any exposure from the bug. 1Password also said none of its data was found to be at risk.

Lackey and others recommend users change their passwords right away, just in case any leaked data fell into the wrong hands.

Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, ), so rather than trying to identify which services are on Cloudflare, the most cautious is use this as an opportunity to rotate ALL passwords on all of your sites, he said.

Security breaches like this one are a good opportunity to be more proactive about the type of passwords you use. For example, stay away from easy-to-guess passwords like 123456 or password as well as easy to guess identifiers, like your dogs name.

Experts say passwords that include a mix of letters, numbers and symbols are more secure but numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.

Passwords that use up to 10 uppercase and lowercase letters mixed with numbers are proven to be more secure despite being hard to remember.

READ MORE: How to protect yourself from security breaches on social media sites

One tip is to construct a password from a sentence, mix in a few uppercase letters and a number for example, There is no place like home, would become tiNOplh62.

And remember, try not to use the same password for any two accounts.

If the website or service you are using offers two-stepauthentication, experts agree its in your best interest to turn it on.

Two-factor or two-step authentication requires the user to set up their account so that a text message containing a secondary login code is sent to their phone every time they log in to their account. That means a hacker would have to have both your password and your cellphone in order to get access to your accounts.

With files fromReuters

2017Global News, a division of Corus Entertainment Inc.

Follow this link:

What you need to know about 'Cloudbleed,' the latest internet security bug - Globalnews.ca