Cloudflare Cloudbleed Bug Exposed Passwords and Sensitive Web Session Data
A major bug in Cloudflare's edge infrastructure, widely dubbed Cloudbleed, caused fragments of sensitive data from customer websites to leak into web pages and search engine caches. Reports said the flaw exposed items including passwords, authentication tokens, private messages, cookies, and other in-memory data belonging to users of sites that relied on Cloudflare services, raising the risk of account compromise and unauthorized access.
Cloudflare said the issue stemmed from a parser bug tied to features such as email obfuscation, server-side excludes, and automatic HTTPS rewrites, and moved to disable affected components and work with search engines to purge cached leaked data. Security coverage urged users to change passwords and rotate credentials, while affected organizations were pressed to invalidate sessions, review logs, and assess whether exposed tokens or session identifiers could have been abused.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Cloudflare details Cloudbleed root cause and scope
Cloudflare disclosed that Cloudbleed was caused by a boundary-check error in machine-generated C code in its HTML parser, affecting Email Obfuscation, Server-Side Excludes, and Automatic HTTPS Rewrites. The company said the most significant leakage occurred from February 13 to 18 and estimated exposure across 3,438 domains and 150 customers, with leaked data appearing in about 1 out of every 3.3 million HTTP requests.
Users urged to change passwords after Cloudbleed disclosure
Following public reporting on the leak, security coverage advised users to change passwords and invalidate sessions because exposed credentials and authentication tokens may have been captured. The guidance reflected uncertainty over which sites and users were affected.
Cloudflare bug publicly disclosed as 'Cloudbleed'
News reports and public discussion on February 23 described a major Cloudflare bug that had leaked sensitive customer website data, including session tokens and passwords, into cached pages. The disclosure brought broad attention to the scope and severity of the incident.
Cloudflare disables affected features and begins remediation
After being alerted to the issue, Cloudflare identified the bug in its HTML parsing components and disabled vulnerable features while deploying a fix across its network. The company also began working to purge exposed data from search engine caches.
Google Project Zero researcher discovers Cloudflare memory leak
Google security researcher Tavis Ormandy discovered a bug in Cloudflare's edge infrastructure that caused chunks of sensitive memory, including passwords, cookies, and other private data, to be exposed in web pages and cached by search engines. The flaw later became known as 'Cloudbleed.'
Sources
4 references tracked. Mallory keeps watching after this page renders.
Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster
gizmodo.com
Open sourceChange Your Passwords. Now.
gizmodo.com
Open sourceCloudbleed: Big web brands 'leaked crypto keys, personal secrets' thanks to Cloudflare bug
theregister.co.uk
Open sourceMajor Cloudflare bug leaked sensitive data from customers' websites | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Heartbleed OpenSSL Flaw Exposed Sensitive Memory Across Web Servers and Devices
OpenSSL disclosed **Heartbleed** (`CVE-2014-0160`), a critical flaw in the TLS/DTLS heartbeat extension caused by a missing bounds check that let remote attackers read up to **64 KB** of memory from vulnerable clients and servers. The bug affected OpenSSL `1.0.1` through `1.0.1f` and some `1.0.2-beta` releases, potentially exposing private keys, passwords, cookies, and other sensitive data without leaving reliable forensic traces. OpenSSL urged organizations to upgrade to `1.0.1g` or disable heartbeats if they could not patch immediately, while researchers and vendors warned that remediation also required rotating keys, revoking and reissuing certificates, and resetting passwords only after affected services had been fixed. The vulnerability triggered emergency responses across the Internet and in embedded infrastructure, with Cisco, Juniper, Western Digital, Apple, Android device makers, and major online platforms assessing or patching affected products. Reports showed the risk extended beyond websites to routers, VPNs, storage appliances, mobile devices, and other systems using embedded OpenSSL, while Cloudflare demonstrated that theft of SSL private keys was practically achievable and incident reporting linked the flaw to real-world compromise, including theft of Canadian taxpayer data and suspected corporate intrusions. The incident also exposed a structural weakness in Internet security: one of the web’s most widely trusted cryptographic libraries had been maintained by a small, underfunded team, prompting calls for sustained investment in critical open-source infrastructure.
Jun 8, 2026
Netcore Cloud Data Exposure of 40 Billion Unencrypted Mail Logs
A massive data exposure incident occurred involving Netcore Cloud, an Indian-based global email marketing and automation company, when a misconfigured server left over 40 billion records and 13.4 terabytes of data publicly accessible. The exposed database contained unencrypted mail logs, which included sensitive information such as email addresses, message subjects, internal delivery details, and technical data like IP addresses and SMTP configurations. Among the leaked records were healthcare notifications, banking activity alerts, and employment-related emails, some of which were marked as confidential. The data was accessible to anyone who knew the server’s IP address, posing a significant risk of unauthorized access and potential misuse. The breach affected Netcore Cloud’s global client base, which spans more than 6,500 brands across 40 countries and includes organizations in sectors such as ecommerce, finance, media, and travel. The exposure was discovered by cybersecurity researcher Jeremiah Fowler, who reported the issue after finding the database unprotected and unencrypted. Upon notification, Netcore Cloud responded promptly by securing the database and restricting public access on the same day. The company also requested additional information from the researcher to support its internal investigation. The incident highlights the risks associated with misconfigured cloud infrastructure, especially for companies handling large volumes of sensitive communication data. The scale of the exposure, both in terms of record count and data volume, makes it one of the more significant data leaks in recent times. The presence of confidential and technical information in the logs could facilitate further attacks, such as phishing or account compromise, if accessed by malicious actors. The incident underscores the importance of robust security controls, regular audits, and prompt response protocols for organizations managing critical customer data. Netcore Cloud’s swift action in securing the database likely mitigated further risk, but the exposure period remains unclear. The breach has raised concerns about data privacy and the security practices of third-party service providers in the email marketing industry. Organizations using Netcore Cloud’s services may need to assess their own exposure and consider additional safeguards. The event serves as a cautionary tale for all companies relying on cloud-based infrastructure to ensure proper configuration and continuous monitoring to prevent similar incidents.
Mar 21, 2026
Express website flaw exposed customer data in search engine results
Express remediated a website vulnerability that exposed sensitive customer information by allowing it to appear in search engine results. Reporting indicated that at least a dozen customers were affected after publicly accessible pages were indexed, making personal and transactional data discoverable online. The exposed information included names, email addresses, postal, billing, and delivery addresses, order details, phone numbers, and partial payment card information. While the reported scope appeared limited to a small number of customers, the incident involved multiple categories of personally identifiable and purchase-related data at the major U.S. clothing retailer.
May 24, 2026