Sites from a huge swath of the internet could be affected by a software bug from security company Cloudflare, potentially compromising user accounts at a number of bitcoin-focused websites, including Coinbase.
For months, the Cloudflare bug sat undiscovered, resulting in websites leaking uninitialized memory, including passwords and cookies.
Officials from Cloudflare say the risk is minimal, but security hawks are encouraging users to change their passwords in an overabundance of caution — particularly with respect to valuable financial accounts.
While the full extent of the breach remains unknown, and Cloudflare has not indicated what specific websites are affected for security reasons, the company was responsible for some 4.2 million domains across the web. They include Coinbase, Bitstamp, LocalBitcoins.com, BitPay, Bitfinex and others associated with bitcoin and digital currency.
Since the issue was discovered and publicized, Cloudflare has since killed the affected services. However, the company also revealed that the leaks could have begun as soon as Sept. 22, 2016, meaning it’s possible a number of major websites were affected over the course of the bug’s presence.
Officials from Cloudbleed believe that coverage of the issue has been overblown. In an interview with New York Magazine, Cloudflare CEO Matthew Prince said the bug appears to have been fixed before wide-scale exploits could take advantage of the flaw.
“It could have been extremely bad,” Prince said. “I think that we largely dodged a bullet.”