Cloudbleed

[Changaco]

Official sources:

• Incident report on memory leak caused by Cloudflare parser bug
• 1139 - cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory - project-zero - Monorail

TL;DR there is a very small possibility that some private information belonging to Liberapay users was leaked.

Important data that could have been leaked:

• bank account numbers, and postal addresses of their owners
• identity information (full names, countries, and birthdays)
• passwords
• donations and transaction data (e.g. who you donate to and how much)

Non-exploitable data that could have been leaked:

• session cookies (6 hours timeout, potentially extended forever if you keep browsing but that doesn't happen in practice)
• CSRF cookies (7 days timeout)

Information that isn't affected at all:

• credit card numbers, they go directly to Payline

[Changaco]

Here's an attempt to determine how many passwords could be compromised:

select count(*) from participants where password is not null and (password_mtime >= '2016-09-22' and password_mtime < '2017-02-19' or session_expires >= '2016-09-22' and session_expires <= '2017-02-19');

It returns 294.

[EdOverflow]

Do you have a list of third-party services that Liberapay uses?

[Changaco]

@EdOverflow Our server communicates over HTTPS with:

• the social platforms that are listed on https://liberapay.com/explore/elsewhere
• sentry.io
• api.mangopay.com

Emails go through SMTP to Mailgun.

Aside from that we have accounts on various websites, the most important ones being cloudflare.com (DNS), gandi.net (DNS), redhat.com (server access), dashboard.mangopay.com (payments dashboard).