Anatomy of a Breach

Anatomy of a Breach: Cloudbleed — When Cloudflare's Memory Leaked Across Millions of Websites

> series: anatomy_of_a_breach —— part: 098 —— target: cloudflare —— affected: millions_of_websites —— duration: 5_months<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2017 12 min read
cloudbleed cloudflare buffer-overflow memory-leak cdn supply-chain series
Breach #098

Cloudflare protects millions of websites. Its memory was leaking their secrets.

On 23 February 2017, Google Project Zero researcher Tavis Ormandy disclosed that he had discovered a critical bug in Cloudflare's HTML parser that caused the company's edge servers to leak fragments of server memory into HTTP responses. The leaked data — dubbed 'Cloudbleed' in reference to Heartbleed — could include anything that Cloudflare's servers were processing at that moment: passwords, session tokens, API keys, private messages, authentication cookies, and other sensitive data belonging to any of Cloudflare's millions of customer websites.

The bug had been introduced on 22 September 2016 and was active for approximately five months before Ormandy's discovery. During that period, leaked data had been cached by search engines including Google, Bing, and Yahoo — meaning sensitive data from Cloudflare-protected sites was publicly accessible in search engine caches. Cloudflare worked with search engines to purge the cached data, and the bug was patched within hours of Ormandy's report. But the incident demonstrated the concentration risk of depending on a single CDN/security provider for millions of websites.

The Supply Chain Dimension
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When your security provider is the vulnerability.

Cloudbleed was a supply chain vulnerability in the purest sense: millions of websites relied on Cloudflare for security and performance, and a bug in Cloudflare's own code leaked their users' data. The websites themselves had no vulnerability — their security provider did. This parallels the RSA SecurID breach (2011) and the Comodo/DigiNotar CA compromises — all cases where the security vendor became the attack surface.

CDN Concentration Risk
Millions of websites depend on a handful of CDN providers. A bug in any of them can expose data from all of them simultaneously. For organisations selecting CDN and security providers, the provider's own security posture is a critical evaluation criterion. Our <a href="/blog/sector-under-the-microscope-professional-services">supply chain analysis</a> examines third-party dependency risk.
Memory Leak ≈ Heartbleed Redux
Like <a href="/blog/anatomy-of-a-breach-heartbleed">Heartbleed</a>, Cloudbleed leaked server memory contents — potentially including credentials, tokens, and private data. Unlike Heartbleed (which required an attacker to actively exploit it), Cloudbleed leaked data passively into normal HTTP responses, meaning it was cached by search engines and potentially observed by any intermediary.
Five Months Active
The bug was active from September 2016 to February 2017 — five months of data leakage before detection. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for anomalous data in responses and network traffic patterns that might indicate memory leakage or data exposure.
Cloudflare's Response Was Exemplary
Cloudflare patched the bug within hours of notification, worked with search engines to purge cached data, and published a detailed, transparent incident report. Their response — rapid, transparent, and technically thorough — set a benchmark. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides the incident response capability to achieve this standard.
Lessons

Your security provider must be as secure as you are.

Cloudbleed reinforced a lesson that has appeared throughout this series: your security is only as strong as your weakest dependency. For organisations using CDN providers, managed security services, or any third-party that processes data on their behalf, the provider's own security posture is part of your risk surface. Cyber Essentials addresses supply chain security. Our infrastructure testing assesses third-party integration security. SOC in a Box monitors for data exposure regardless of source. And UK Cyber Defence provides incident response when supply chain vulnerabilities affect your organisation.

Supply Chain Security

Cloudflare's bug leaked data from millions of websites. Who processes your data?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses third-party integration security. <a href="/cyber-essentials">Cyber Essentials</a> addresses supply chain risk. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for data exposure.

Commission a Security Assessment Next: Vault 7 / CIA Tools
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2025

Anatomy of a Breach: The Salesforce Ecosystem Breach — 200+ Companies Hit Through a Third-Party Integration

Breach #202. In October-November 2025, a breach of the Salesloft Drift chatbot integration within the Salesforce ecosystem exposed data from over 200 companies — including major corporations across automotive, aviation, security, and fintech sectors. The attackers exploited a vulnerability in the third-party integration to access CRM data including customer records, sales pipelines, support tickets, and internal communications stored in Salesforce instances. The breach has been described as the 'SolarWinds moment for SaaS' — demonstrating that third-party integrations within SaaS platforms create supply chain risk at a scale the industry had not previously confronted.

salesforce salesloft
14 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 31 July 2024

Anatomy of a Breach: CrowdStrike — The Faulty Update That Crashed 8.5 Million Windows Systems Worldwide

Breach #187. On 19 July 2024, a faulty content update to CrowdStrike's Falcon endpoint detection and response (EDR) platform caused approximately 8.5 million Windows systems worldwide to crash with a blue screen of death (BSOD) and enter an unrecoverable boot loop. The outage grounded flights globally, disrupted hospitals, knocked banking systems offline, and paralysed businesses across every sector. While not a cyber attack or data breach, the CrowdStrike outage was the largest IT disruption in history — caused by a security vendor's own update mechanism — and demonstrated the catastrophic fragility of global IT infrastructure's dependence on a handful of security vendors.

crowdstrike global-outage
15 min read
All Posts Get in Touch