A serious bug within the code running on Cloudflare edge servers may have leaked sensitive data from a large number of websites over many months. First, and most importantly, the DNAnexus Platform has not been impacted by this incident and no DNAnexus user data has been leaked.
Cloudflare provides Content Distribution Network (CDN) services, which enable providers of web content to enhance user experience by caching web content on edge servers geographically proximate to the web client. As part of a shared service, each edge server presents web content from multiple Cloudflare customers.
The bug led to a condition whereby the edge servers were returning content entirely unrelated to the requested web content, and that leaked content contained unencrypted private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Search engines subsequently crawled and cached this leaked content, enabling it to be searched. For example, a web request to a ride sharing service could have resulted in leaked content being returned from a dating service.
DNAnexus uses the Cloudflare CDN service only to accelerate serving of public web content, such as web site images, help text, and html/css. DNAnexus does not serve any credentials, tokens, nor user data via the CDN and thus DNAnexus users are not impacted by this bug, and no DNAnexus user information has been leaked.
DNAnexus users do not need to change their DNAnexus password, unless they use similar passwords for other websites that were affected. We strongly recommend that users always choose a unique password for their DNAnexus account and that they configure their account to use two-factor authentication as described in the DNAnexus wiki documentation.
If you have any questions about your account, please contact our customer support team at support@dnanexus.com.
