You may have read some news online: A major internet infrastructure provider called Cloudflare reported a bug, which exposed private data of some websites that use its services.
Cloudflare is a very big player in web infrastructure, whose services are used to improve website performance as well as privacy and security. By some estimates, as much as 10% of internet traffic passes through Cloudflare.
A bug in Cloudflare meant that information intended for one website could have been accidentally passed to a different website. Wave uses Cloudflare, so of course we have been in contact with Cloudflare and have been monitoring this situation closely.
We have been informed by Cloudflare that Wave data was not included in the data that is known to have been leaked. We expect Cloudflare to continue investigating, and will update this statement if new information comes to light.
It's also worth pointing out that this bug was discovered by security researchers at Google, and as of this time there have been no reports of the leaked data being used maliciously.
Nonetheless, we also believe strongly in taking every precaution to protect yourself. Changing (rotating) passwords on a regular basis is good security practice, and we recommend that all customers use this opportunity to do so today, not just for Wave but for any online services you use.
We do not in any way mean to minimize the severity of this matter. It deserves (and is getting) very close scrutiny from our engineering and security teams, and we expect the same to be happening at Cloudflare. But our current understanding is that Wave customer data has not been found in the leaked data.
Appearing on lists
We're aware of a variety of list that have begun circulating, identifying Cloudflare users.
These lists are generated automatically by checking if a given website appears to use Cloudflare. However, it's important to note: These are not lists of sites whose data was leaked; they are lists of sites that use some part of Cloudflare's tool set.
Cloudflare estimates that less than 0.00003% of requests they handle (1 in 3.3 million) were impacted by the "cloudbleed" bug. In other words, these lists are good for identifying which of your services you should be contacting, but they do not identify services whose data was actually compromised.
As always, our customers’ privacy and security are paramount, and we’ll continue to monitor this situation to let you know if anything changes.