Bitwage and Cloudbleed
Table of Contents
The CDN and DDoS Security service Cloudflare released a statement on February 23rd that approximately 150 of its customers during the period September 22, 2016 to February 18, 2017 were affected by a serious memory leak.
</ br>
See here: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
</ br>
Original bug report by Tavis Ormandy: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
</ br>
Bitwage was a customer of Cloudflare during the relevant time period, however Cloudflare notified Bitwage on February 24th that they have not found evidence that Bitwage was among the 150 customers affected by the memory leak. Since learning of the issue, Bitwage has migrated away from Cloudflare and is no longer a cloudflare customer. This can be seen if you look at our SSL certificates on bitwage.com or other bitwage sites.
</ br>
To be cautious, any customers who logged into the Bitwage site or app during the relevant time period are encouraged to reset their password and log out and login again to their app. Any API user during the time period are encouraged to regenerate their keys and any user who set up TOTP during the time period are encouraged to reset their TOTP.
</ br>
Note, we migrated away from Authy on February 21st, so any users who set up TOTP when we sent out emails about the new Bitwage Authenticator would have set up TOTP after the Cloudflare resolution time.