Cloudflare security breach exposes data from Uber, Fitbit, OKCupid among 3,400 websites; password changes recommended

User data from 3,400 websites has been leaked and cached by search engines as a result of a bug in Cloudflare, a content delivery network. Sites affected over the course of several months include major ones like Uber, Fitbit and dating site OKCupid. 1Password also uses Cloudflare, but says that end-to-end encryption means that no customer data was exposed.

ArsTechnica reports that the leaks were spotted by Google security researcher Tavis Ormandy.

We observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident …

more…

LastPass survey finds 95% of Americans share passwords, 59% use same password for multiple sites

It’s no surprise that 95% of U.S. consumers share up to six passwords with other people when you consider that this includes WiFi passwords for home Internet connections and sharing Netflix passwords with family members, but a survey by LastPass showed that 59% also re-use the same passwords for multiple sites. Put the two facts together and people could potentially be allowing access to rather more than they intended.

The younger you are, the more likely you are to share passwords with a friends: 40% of 18-29 year olds do so, dropping to 15% for those aged 30-44 and 6% at 45-59. Only just over a quarter bother to reset a password after they’ve shared it with someone else.

While the company’s motivation is to promote the emergency access and password-sharing features it introduced last month, it does provide a nudge to ensure you’re not using your WiFi password for anything sensitive.

LastPass password manager update adds emergency access, sharing center and new UI [Video]

LastPass has updated its Android app and browser extensions to version 4.0 to add an emergency access feature and shared passwords, as well as a significantly revamped user-interface.

Emergency Access (shown below) is designed to ensure that you aren’t permanently locked out of your account if you ever forget your master password.

Emergency Access lets users designate trusted family, friends or colleagues to have access to their password vault in the case of an emergency. For added security, a user can require a waiting period between when an Emergency Access contact can request access to the vault and when access is granted. During the waiting period, users can decline an Emergency Access request to their vault.

The new Sharing Center is designed to provide a safe method of allowing multiple people access to the same account, such as when two or more family members want access to utility accounts …

more…

Google & Dashlane introduce a new open source password manager API called ‘Open YOLO’

We all have a million passwords to keep track of, so tools that can help us keep them secure and also make them easier to use are always great. To make keeping track of passwords easier, Google has worked with Dashlane to create a new password management API called “Open YOLO” — which stands for “You Only Login Once.”

more…

Filed under: Google Corporate