Today, Cloudflare together with Tavis Ormandy from Google disclosed a Heartbleed-like security issue on Cloudflare’s servers. In short, the bug caused the Cloudflare’s server buffers to overflow. Requests to the servers could have returned a part of the memory that included private information as well, including but not limited to: HTTPS cookies, authentication tokens, passwords, other sensitive data, etc.

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003 per cent of requests).” — Cloudflare

More information about the vulnerability, which has since been fixed, can be found on the Cloudflare Incident Report Blog and on Google’s Project Zero.

Were TREZOR Services Affected?

While TREZOR services are protected by Cloudflare DNS, TREZOR Wallet and Password Manager were unaffected by this bug. TREZOR Wallet does not send any confidential or private data to our servers, and therefore there is no data to be stored. Random BTC addresses not linked to any identity are the only information that could have leaked.

TREZOR Password Manager stores all information on Dropbox, but only after is has been encrypted locally by TREZOR. Therefore, all of your data on Dropbox is safe too.

On the other hand, TREZOR Shop and TREZOR Support hosted on Kayako might have been affected by the Cloudbleed vulnerability. As we are unable to estimate exactly what data has been leaked, we are strongly suggesting all of our users to change their passwords on these two platforms.

Please use these two links to reset your password, or change your password in account settings:

What Should I Do?

Since many popular websites use Cloudflare and its services, it is advisable that you change your passwords everywhere. Use password managers, like the TREZOR Password Manager, in order to create different passwords for each and every website you log into.

Set up Second Factor Authentication to all important services that you use, preferably using the more secure U2F standard. If you have been using One Time Passwords as second factor, generated by Google Authenticator or Authy, it is also strongly recommended that you reauthenticate them. (No action is needed if you have been using U2F.)