Cloudflare Security Incident Report

Updated on February 24, 2017
Cloudflare Security Incident Report header image

Important Security Notice

As you may know, Vultr utilizes Cloudflare's CDN product to enhance the speed of our website around the globe and protect against various malicious attacks on our site.

Cloudflare recently revealed a security vulnerability that may have resulted in private data from sites whose data is behind the Cloudflare CDN. According to Cloudflare's security team, the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage. While Cloudflare patched the discovered issue quickly, it was possible sensitive data was leaked to third party search engines that cache data such as Google.com.

Cloudflare has worked with the security team from Google to search cached data for any relevant Vultr links and has confirmed no data was found. Based on this we have no reason to believe any Vultr customer information has been compromised via this Cloudflare bug.

This is a good opportunity to remind you of best security practices to secure your account:

  • Enable 2 factor authentication for your main vultr.com account login.
  • Change your control panel password every 90 days (or less).
  • Always change your Instance's default password after initial deploy.
  • If you utilize the API service, ensure your API IP ACLs are configured correctly.
  • Routinely scan your computer for malware, spyware, browser extensions, and Virii that could compromise or leak private information.

We will continue to closely monitor the situation and stay in close contact with Cloudflare should there be any change in the facts we have received thus far. Your account security is our top priority here at Vultr.

Additional Background Information

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139