Friday February 24, 2017

Yesterday, information about a breach of security at Cloudflare became public. Cloudflare is a provider of cloud-based security services for companies operating on the Internet. A bug in the HTML parsing code on their proxies caused a data leak, resulting in the possibility of sensitive information being sent in HTTP response payloads, including to search engines. As a result, some Cloudflare customers experienced a leak of sensitive data into search engine caches. Extensive information about the incident may be found on Cloudflare’s blog, here: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

VictorOps uses the Cloudflare proxy to provide DDoS mitigation and Web Application Firewall (WAF) protection for the VictorOps platform. Today, we received word from Cloudflare that VictorOps data was not present in any of the leaked data caches on search engines. We do not make use of Cloudflare’s “Email Obfuscation” or “Automatic HTTPS Rewrites” features. The “Server-side Excludes” feature was not in-use in our HTML code, however it was enabled for our domain, so we cannot completely rule out the possibility of a data leak, though we consider the risk very low. While we do not believe that any unencrypted passwords could have been leaked as a result of this bug, concerned customers may wish to initiate a password change for users on the VictorOps platform, and a change of API keys. Our support department stands ready to assist any customer with this process.

VictorOps remains committed to protecting our customers’ security and data privacy. We will continue to investigate and monitor this issue as more information becomes available, including a review of our use of the Cloudflare proxy. Please reach out to us at support@victorops.com if you have any questions.

Mike Meredith
Director of IT, VictorOps