Good afternoon everyone,
You have all received an email telling you to reset your CSSMA password. We received some questions about its legitimacy, and we would like to confirm that it came from us.
If you did not receive an email, follow this link to reset your password: https://www.cssma.ca/wp-login.php?action=lostpassword
Why do I need to reset my password?
When you connect to the CSSMA website, your connection passes through a service called Cloudflare. Cloudflare caches some unchanging content (like images) and serves it to you, passing the rest of the connection through to the CSSMA server. This reduces the strain on our website and decreases loading times. Cloudflare is a very popular service: five percent of global web traffic passes through it, and it is trusted by massive companies like Fitbit, Udemy, OKCupid, and Yelp.
This Thursday, February 23rd, Cloudflare announced (https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/) that a security issue had been found: pieces of web traffic passing through Cloudflare were mixed in with other pieces of web traffic, meaning that any data you sent to or received from a Cloudflare-enabled site may have ended up on another computer in the world. As explained by user “niftich” on news.ycombinator.com:
"It's like some extremely popular remailer company accidentally put badly or barely shredded copies of handled letters into other people's envelopes. Strangers' sensitive info is potentially sitting inside unsuspecting mailboxes worldwide."
This includes passwords and personally-identifiable information, potentially including from CSSMA.
At this point it is not clear exactly which sites were affected and which were not, and it may never be. You should change all your passwords for every site you use and avoid using the same password for multiple sites. Using a password manager like 1Password (which was confirmed unaffected by the security breach) is recommended.
What has been done to mitigate this, and to prevent similar issues in the future?
Cloudflare has plugged the security leak, and they are working with other large Internet services to clear easily-accessible sensitive data from the web.
On the level of CSSMA, there is not very much that can be done to prevent these sorts of breaches. We have stopped our use of Cloudflare for the time being, but like most websites, we rely on a variety of other services besides Cloudflare: Bluehost to host our website, WordPress to serve content, a variety of WordPress plugins to provide functionality, Comodo to authenticate our security certificate... the list goes on. A security breach in any one of these could leak confidential user data, and there is no way to avoid that.
That said, we will continue to respond quickly to any security threat — in this case, we forced a password reset before Cloudflare even issued their official statement — and we will always inform you if your data is at risk.
The best way to protect yourself on the Web is to use a different password for every site, and to carefully judge where you enter your personal data. When you send data over the Internet, you are sending your data in a sealed envelope across the world. Usually it arrives fine, but sometimes it does not, and that is a risk we all must take.
We hope you have a safe weekend,
The CSSMA Team