Cloudflare, a service that provides security and performance optimization for more than 5.5 million websites, warned users on Thursday that it recently fixed a bug that exposed sensitive information including usernames and passwords.

The problem may be fixed now, but the fallout will be ongoing. Thousands of sites have reportedly experienced data leaks due to the bug, which has resulted in private information being exposed and cached by search engines—preserving the information for potential bad actors to make use of.

Sites and services like Uber, OKCupid, FitBit, and a number of other noteworthy companies have been affected by the bug—which reportedly had been active since Sept. 22, 2016.

The issue—which has been dubbed “Cloudbleed” in reference to the 2014 Heartbleed bug that allowed hackers to exploit a vulnerability to steal encrypted information—was first caught by Google security researcher Tavis Ormandy.

In a blog post published Thursday, Ormandy wrote, “We observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted Cloudflare security.”

Google, Bing, Yahoo and other search engines have been working to scrape their search results of any information that may have leaked due to the Cloudflare issue, but some information remains available—and, perhaps most concerning, was exposed for months.

Cloudflare acknowledged the issue and called the bug “serious,” but noted at its peak, one in every 3,300,000 HTTP requests—about 0.00003% of requests—through the service potentially resulted in memory leakage. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence,” the company said.

Ormandy noted on his blog that Cloudflare’s response to the issue “severely downplays the risk to customers.” Security researcher Ryan Lackey offered a similar observation, noting that while the risk to any individual piece of data may be low, the bug left a “broad range of data was potentially at risk.”

“Unless it can be shown conclusively that your data was not compromised, it would be prudent to act as if it were,” Lackey wrote in a post on Medium.

How Do I Protect Myself?

The first thing that anyone potentially affected by Cloudbleed—and that’s pretty much everyone with an internet connection, given the widespread use of Cloudflare—will want to do is change your passwords.

An unofficial list of sites believed to be hit by the bug is available on GitHub. Check and see if you have accounts on any of those sites or services and make a point to change your password.

Best Password Managers

To better deal with this type of widespread issue in the future—and as a general precaution to protect yourself against potential hacks—it’s also a good time to start using a password manager.

Many modern browsers have a version of password managers built in, but third-party options like Dashlane and LastPass are preferred by many. The services require you to remember just one master login while providing a random string of characters as your password for individual sites and services.

It should be noted that popular password manager 1Password uses Cloudflare but AgileBits, the company behind the service, is reporting none of its user data has been compromised by the Cloudbleed bug.

Users may also want to take the opportunity to set up two-factor authorization on their accounts. Many sites offer this security feature, which will prompt users to provide an extra method of authentication beyond just entering a username and password—usually in the form of a temporary code sent to a secondary device owned by the user.

Sites like and have lists of services that allow users to set up two-factor authorization.