Several fintechs are assuring customers that their data was unaffected by the recent Cloudbleed bug affecting systems of the content delivery network Cloudflare.
During a period between September 2016 and this month, passwords, private messages, API keys and other sensitive data were mistakenly leaked by Cloudflare to random requesters.
According to a blog post from Cloudflare, during that time “edge servers were running past the end of a buffer and returning memory that contained private information … and some of that data had been cached by search engines.”
“For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked,” the post continued.
Since the company’s announcement, several fintech firms have reached out to customers to assure them of their data’s safety and used the event as an opportunity to reiterate good password practices.
In a blog post on Friday, the digital wealth adviser Betterment said it is “confident that customer account information is safe.”
“Cloudflare performed its own internal review and determined that Betterment’s data was not included in the information exposed by the vulnerability,” the blog post read. Betterment told users they didn’t need to change their passwords, but encouraged them to strengthen their passwords and enable two-factor authentication in the post, too.
The payments firm TransferWise also said in a Friday blog post that it is confident that customer data is safe. The TransferWise blog post also detailed the Cloudflare bug. TransferWise also told users that they didn’t need to reset their passwords, but encouraged them to pick strong ones that are not the same ones used on different websites and services.
A spokeswoman for the online lender Prosper said in an email Monday that there is no indication that Prosper user data was exposed, but that the customers should still reset their passwords.
In an email to its users on Friday, the digital asset exchange Kraken suggested that users change their passwords, remove and re-enable two-factor authentication and reset API keys. Kraken, however, did not say whether it believed customer data had been compromised.
The digital asset exchange Coinbase said in a blog post Friday that it had identified “only one single instance of a leaked Coinbase session cookie, which we immediately invalidated.”
“The Coinbase security team will continue to work closely with Cloudflare to determine what, if any, other data may have been exposed by this event,” Coinbase said in the post. “We have no reason to believe that any Coinbase customer’s personal data or account has been compromised.”
Founded in 2009 in San Francisco, Cloudflare provides security and content optimization services behind-the-scenes for millions of websites, including many fortune 500 companies. After discovering the bug, a team consisting of Cloudflare software engineering, information security and operations personnel formed in San Francisco and London “to fully understand the underlying cause, to understand the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses.”