Well, handmade developers, it's been an interesting day so far.
Cloudflare issued a warning
that due to a memory leak in one of their html parsers, information could end up being leaked in the responses to completely unrelated requests.
TL;DR: Cloudflare screwed up, Google noticed and told them, Cloudflare fixed it, people will be resetting passwords everywhere for days to come.
Long story short: If your site was behind Cloudflare, they may have leaked potentially sensitive information; that information may have ended up in Google's and other caches. This was regardless of whether or not your site used the vulnerable features that caused it to leak, because your traffic might have previously transited through the node in question, with some of your pages remaining in memory.
So while it looks like we weren't part of the subset of sites that triggered a leak, our traffic may still have gone through their proxies at an inopportune time…
Better to be safe than sorry, we decided to invalidate passwords for all members who hadn't changed their password today and add a little note to the login form
And that's where we're at now, folks.
Should you request a password reset but not receive an email with a reset link in a reasonable time, it's possible you've signed up to the site using a different email address. In that case, please try using the alternate email address you might've used at the time.
This, as an aside, is another good reason to use a password vault such as KeePass
. Other than safely storing strong passwords that are unique per site, it also allows you to store additional notes, like the email address you used to sign up with.
While it was already near the top of our technical roadmap, this incident underscored the usefulness of 2FA (two factor authentication). It's a feature we're hoping to bring to you next month.
We apologise for the added inconvenience our response to this incident may have caused, but we felt it was necessary to act swiftly and decisively in the interest of our member base at large.
To forgo even more added inconvenience we won't be sending out mass emails telling people to change their password. Those who visit the site regularly will find themselves needing to use the password reset to be able to log in, and those who visit more infrequently, well… their old passwords will no longer work, so their accounts will be safe from abuse until their return.
We're of the opinion you'll be receiving enough solicitations to change your password from other sites over the next couple of days, and because the security of your accounts aren't affected, we feel no need to add to your burden until you desire to log in again.
Should there be interesting developments, we'll update this blog post.
- Jeroen on behalf of the staff.