In 2017 Cloudflare had an HTML parser bug that caused encrypted HTTP traffic to be leaked. Any website served by Cloudflare was vulnerable to having all of its traffic leaked into the HTML body response of the website that Cloudflare proxied. Given that Cloudflare is the proxy service for 80% of websites that use proxies, this affected a significant portion of the internet.
Cloudflare served private HTTP traffic in response bodies, meaning that website results contained cookies, session data, encrypted traffic, all personally identifiable, and because it was served as response bodies, it was *indexed by search engines*, not to mention anyone else who was scraping websites during the time of the incident. It included credit card information, frames from videos, PII, the works, all linked to individual users.
This was ongoing for *months.*
Anyone savvy could use this information to hijack accounts, scrape personal information, view private browsing habits. Even when Cloudflare publicly announced it (and tried to blame others) when they thought they had cleaned up most of the data, you could still easily use search engines to find people's personal information by searching for the Cloudflare header strings that started the leaked session information.
Many countries have legal policies around data breaches, including required disclosure policies and penalties. In the greatest blind eye turn of the history of the internet, Cloudflare managed to get away with a single blog post, and no other penalties. https://blog.cloudflare.com/incident-report-on-memory-leak-c...
Cloudflare served private HTTP traffic in response bodies, meaning that website results contained cookies, session data, encrypted traffic, all personally identifiable, and because it was served as response bodies, it was *indexed by search engines*, not to mention anyone else who was scraping websites during the time of the incident. It included credit card information, frames from videos, PII, the works, all linked to individual users.
This was ongoing for *months.*
Anyone savvy could use this information to hijack accounts, scrape personal information, view private browsing habits. Even when Cloudflare publicly announced it (and tried to blame others) when they thought they had cleaned up most of the data, you could still easily use search engines to find people's personal information by searching for the Cloudflare header strings that started the leaked session information.
Many countries have legal policies around data breaches, including required disclosure policies and penalties. In the greatest blind eye turn of the history of the internet, Cloudflare managed to get away with a single blog post, and no other penalties. https://blog.cloudflare.com/incident-report-on-memory-leak-c...
THAT is Cloudflare's disruption.