Last night Google’s security team published details about a security bug in a leading cloud services provider, Cloudflare.
Cloudflare sits between web sites and users to optimize content delivery and provide protection from hackers and DDoS attacks. Cloudflare is used by over 4 million websites, including cronometer.com.
While the practical risk to our users is considered extremely low (1 in every 3.3 million web requests potentially leaked memory from their system), we want to make sure you are aware that there was the potential for your passwords and session tokens to be leaked if you used cronometer while the vulnerability was active (September 22nd, 2016 — February 18th 2017).
As a precaution, we will be invalidating all session tokens generated during this window, which will result in many people getting logged out of the app. It is also advisable to change your cronometer.com password, as well as for any other sites you may have accounts with that were using Cloudflare (Fitbit, Uber, OkCupid, Yelp, and many more).
For more general information on the issue, this TechCrunch article has a good summary.
Again, to be clear, we believe there is practically little to no risk to our customers, and there’s no evidence any of our customers’ sessions were compromised, but we are taking all necessary precautions. If you have any questions or concerns, please contact our support team at firstname.lastname@example.org.