Cloudbleed Security Vulnerability
Due to the Cloudbleed security vulnerability, we have logged all users out of the website.
When you log back in, we ask that you change your password--that can be done here.
While we do not have reason to believe that any specific accounts have been compromised at this time, we do want to minimize the chances of that becoming an issue.
Thanks for the heads up. I just changed my password.
Holy Crap, how could I have missed that advisory
What a nasty bug, thanks a lot for making us aware. Guess I will spend the rest of the night changing all my passwords.
I just changed my password too. But I see two technical problems with this website: one, I don't see a link to the password editing area from the "User Menu" section on the left column, despite the fact that the "My account" link is shown. Also, in the password changing area, it should ask for old password as well as for the new password just to add a layer of security in my opinion.
I'm sure those can be easily fixed. Thanks!
When you click on MY ACCOUNT, there's an EDIT option next to most options. If you click on that, you will see tabs where you can change almost everything, including your password.
Yeah, Drupal's being weird about that, and I haven't been able to get to the root of the problem unfortunately. (that's one reason why I included the link in my post)
I didn't know a buffer overrun would/could result in storing data "on a completely different website" - ??? I thought it just let the hackers get access to the original website...
CloudFlare's platform proxies HTTP requests for many (millions?) of different websites. As such, one of their daemons which proxies traffic for any given website in one request, can proxy traffic for an entirely different website in the next request.
The buffer overrun returned data to clients other than intended-- some of those clients were search engine spiders, which cached the data. Most of that data also had common meta identifiers in the dumps, so it was pretty easy to find until the search engines started purging it.
So you had effectively millions of passwords, auth tokens, encryption keys, etc, etc in plaintext on Google. This was, as bad things go in the security world, astoundingly bad.