Yes, mistakes do happen, he said, adding that he expected that more companies will have issues like this where old code or other software dependencies come back to haunt them. "But it is imperative that users realize this is a dangerous security breach and take action."
His advice: change all your passwords immediately, use a password manager to make it easier to do so in the future and add two-factor authentication to accounts wherever possible.
Organizations which develop software should take this incident as a warning sign for their own development teams and processes, Wenzler said. "While speed is key in order to bring products to market, overlooking basic code review and security validation processes can result in something like Cloudbleed."
This is more than just a technical problem to be solved, he added, but it hits right at the reputation and credibility of the company and could end up costing an organization huge amounts of revenue from customers taking their business somewhere else. "I am a strong advocate that development houses take the time to review their applications as holistically as possible, and not solely look at the latest block of code, with the assumption that it will work perfectly with all the previously developed software."
John Bambenek, threat systems manager at Fidelis Cybersecurity, pointed out a lack of skilled workers to do thorough testing of custom security tools, but had praise for both Cloudflare and Google for their collaboration in fixing the bug. "Cloudflare should be commended for their transparency and quick response to the issue. This morning I received an email from them (I have a site behind CloudFlare) that detailed the issue and steps they've taken to remediate the issue. Both companies have demonstrated how to work together to address vulnerabilities quickly and protect the internet at large.”
George Avetisov, CEO at HYPR, agreed that this is a major hack as content has already been leaked and cached by search engines. As there are a few digital currency websites on the list of affected sites, we're are likely to see quantifiable financial damage as a result of this breach, he told SC.
When asked whether he believed Cloudflare was able to scrub data from the search engines, Avetisov told SC that the company cannot scrub search engines but only work with them to identify and remove incorrectly cached info. "Obviously, bad actors will not be known or comply if they are asked. Unfortunately, this problem is unlikely to be remedied entirely by Cloudflare and will require cooperation cross-industry."
Enterprises are going to see a lot of employee password resets today, he added. "But the true extent of the damage might not be revealed for several weeks. Employees are known to re-use passwords across personal and corporate accounts, so we are likely see further indirect breaches as a result of the sites impacted by CloudLeak."
That's because any data transferred over these services during the vulnerable time should be considered public, he said. "This unfortunately includes personal conversations and dating services.
Right now, it's probably better for enterprises and consumers to remain calm and update their passwords, Avetisov said. "Overreacting and playing the blame game, like the internet did when HeartBleed was revealed, is not going to remedy the situation."
Alex Heid, chief research officer at SecurityScorecard, agreed that the leak appears to be quite serious, as the impact appears to be a complete compromise of confidential information being passed over HTTPS.
He told SC that as of mid-day Friday, he was still able to find cached information on Google. "The leaked data appears to have impacted everything being sent over an HTTP post request, which can include authentication credentials such as passwords and API keys, as well as any text communications being passed," Heid told SC.
"It will be interesting to observe the fallout over the next several months, as information obtained during this leak is leveraged for future attacks, much in the same way compromised credentials were harvested and used from HeartBleed incident, or from publicly circulating databases such as LinkedIn and Dropbox breaches."
Erik Knight, CEO at SimpleWan, also believes the leak is very serious, "especially since Cloudflare has been touting its security." Knight believes it will take some time before the data is scrubbed from all the search engines.
"The data is already out there, it's not possible to undo what's already been captured," he told SC. And, he added, internal audits by Cloudflare should catch things like this.
This is a big event because of the wide reach of Cloudflare, Knight said. "But it's not surprising, we'll see more like this from other vendors in the space."