to an unknown party who gained accessAttack.Databreachto an organization email account last month , according to a letter sent to members . The organization sent the letter Tuesday to about 2,800 members who may have been affected by the data breachAttack.Databreach. Christina Salcido , vice president of mission operations , said members ’ names , birth dates , home addresses , insurance policy numbers and health history information could have been accessedAttack.Databreachfrom Sept 30 to Oct 1 . “ Out of an abundance of caution , we are notifying everyone whose email was in this email account , ” Salcido wrote in the letter . On the day the organization became aware of the breach , IT services changed the password and determined it was secure , Salcido wrote . The Girl Scouts of Orange County reviewed the account , eliminated all personal information it contained and notified the California attorney general ’ s office of the breach . Because the email account was used for the organization ’ s travel purposes , it contained information about members dating to 2014 . Salcido said the third party used the account to send messages , but she did not specify what type of messages were sent . Elizabeth Fairchild , spokeswoman for the Girl Scouts of Orange County , said staff members noticed Oct 1 that the email account had been used the day before “ to send out non-Girl Scout related emails. ” On Oct 1 , staff members sent an email to members telling them what happened , stating they had secured the account and advising them to not open any unusual emails from that account . “ The vast majority of information stored in the account was nonsensitive , ” Fairchild said . “ Fewer than 300 had sensitive information stored in the account. ” The Girl Scouts of Orange County provided contact information for the credit bureaus Equifax , Experian and TransUnion and suggested that members place fraud alerts on their accounts . If members have questions or concerns about the breach , they can call ( 800 ) 974-9444 or email customercare @ girlscoutsoc.org .
The Intercontinental Hotels Group data breachAttack.Databreachpreviously announced in February as affecting 12 hotels in the chain has proven to have been far more extensive than was first thought . Last week the group announced that the breachAttack.Databreachaffected guests that used their credit cards to pay at franchisee hotels across the United States and in Puerto Rico between September 29 , 2016 and December 29 , 2016 . According to the chain ’ s website , the Intercontinental Hotels Group data breachAttack.Databreachpotentially affected guests who stayed at its Holiday Inn , Holiday Inn Express , Crowne Plaza , Staybridge Suites , Candlewood Suites , Hotel Indigo , and InterContinental Hotels . The full list of hotels that have potentially been affected by the malware incident has been listed on the IHG website . In total , 1,184 of the group ’ s hotels have potentially been affected . The Intercontinental Hotels Group data breachAttack.Databreachinvolved malware that had been downloaded onto its systems , which was capable of monitoring payment card systems and exfiltratingAttack.Databreachpayment card data . It does not appear that any other information other than card details and cardholders ’ names were stolenAttack.Databreachby the attackers . The hotel group does not believe the data breachAttack.Databreachextended past December 29 , 2016 , although that can not be entirely ruled out as it took until February/March for all of the affected hotels to be investigated and for confirmation to be received that the malware had been removed . Prior to the malware being installed , IHG had started installing the OHG Secure Payment Solution ( SPS ) , which provides point to point encryption to prevent incidents such as this from resulting in the theft of clients ’ data . Had the process started sooner , the Intercontinental Hotel Group data breachAttack.Databreachcould have been prevented . Hotels that had implemented the SPS prior to September 29 , 2016 were not affected and those that had implemented the solution between September 29 , 2016 and December 29 , 2016 stopped the malware from being able to locate and stealAttack.Databreachcredit card data . In those cases , only clients that used their credit cards at affected hotels between September 29 , 2016 and when the SPS system was installed were affected . Intercontinental Hotels Group Data Breach One of Many Affecting the Hospitality Sector The Intercontinental Hotels Group data breachAttack.Databreachstands out due to the extent to which the group was affected , with well over 1,100 hotels affected . However , this is far from the only hotel group to have been affected by POS malware . Previous incidents have also been reported by Hard Rock Hotels , Hilton Hotels , Omni Hotels & Resorts and Trump Hotels . Hotels , in particular hotel chains , are big targets for cybercriminals due to the size of the prize . Many hotel guests choose to pay for their rooms and services on credit cards rather than in cash , and each hotel services many thousands – often tens of thousands – of guests each year . Globally , IHG hotels service more than 150 million guests every year , which is a tremendous number of credit and debit cards . Such a widespread malware infection would be highly lucrative for the attackers . Credit card numbers may only sell for a couple of dollars a time , but with that number of guests , an attackAttack.Databreachsuch as this would be a huge pay day for the attackers .
Cybersecurity experts and companies on Long Island are looking for ways to shore up the weakest link on company computer networks : the employee . Local cybersecurity professionals are creating interactive comic books , testing employees with simulated phishing emails — tailored messages that seek to obtain key information , such as passwords — and seeking to convince top executives that the threat of business disruption from hacking requires their attention . “ The biggest problem is not the technology ; it ’ s the people , ” said Laurin Buchanan , principal investigator at Secure Decisions , a division of Northport software developer Applied Visions Inc. Sixty percent of cyber-assaults on businesses can be traced to insiders ’ actions , either inadvertent or malicious , according to a 2016 study by IBM Security . The average cost of a data breachAttack.Databreachfor U.S. companies is $ 7.4 million , or $ 225 per lost or stolen record , a June 2017 study by IBM and the Ponemon Institute , a Traverse City , Michigan , researcher , found . Costs related to data breachesAttack.Databreachcan include the investigation , legal costs to defend against and settle class-action lawsuits , credit monitoring for affected customers , and coverage of fraud losses . Harder to gauge is the cost to a company ’ s reputation . One of the largest hacksAttack.Databreachever was disclosed this month , when credit reporting company Equifax Inc. revealed that sensitive data from 143 million consumers , including Social Security numbers and birth dates , was exposedAttack.Databreach. A stock analyst from Stifel Financial Corp. estimated that the attack will cost Equifax about $ 300 million in direct expenses . Investors seem to think the incident will have a much greater impact on At a seminar in Garden City this month , Henry Prince , chief security officer at Shellproof Security in Greenvale , explained how in a ransomware attackAttack.Ransom— one of many types — cybercriminals can buy specialized tools such as those used to sendAttack.Phishingphishing emails . The easy availability of that software means that hackers require “ no programming experience , ” Prince said . Phishing emails can be blocked by company email filters , firewalls and anti-virus software . But if one gets throughAttack.Phishingand an employee clicks on the link in the phishing email , the business ’ network is compromised . Hackers can then encrypt files , preventing access to them by the company and crippling the business , Prince said at the seminar . Hackers then can demand paymentAttack.Ransom, typically in an untraceable cryptocurrency like Bitcoin — a digital asset that uses encryption — before agreeing to decrypt the files . “ Ransomware is a business to these people , ” Prince said . “ Ninety-nine percent of the time , ransomware requires user interaction to infect. ” Della Ragione echoed that sentiment : “ The greatest risk at a company is the employees . Training employees is one of the best steps in shoring up your defenses. ” In response , many local experts and companies focus on teaching employees how to resist hackers ’ tricks . Secure Decisions has developed interactive comics to teach employees ways of detecting “ phishing ” emails and other hacking attempts . The company has gotten more than $ 1 million for research related to the interactive comic project , known as Comic-BEE , from the Department of Homeland Security , as well as a grant for $ 162,262 from the National Science Foundation . The comics , inspired by children ’ s “ Choose Your Own Adventure ” books , feature different plots depending on the reader ’ s choices . “ If you can give people the opportunity to role-play , some of the exhortations by the experts will make more sense , ” Buchanan said . The comics are being field-tested at several companies and Stony Brook University . They were featured in July at a DHS cybersecurity workshop in Washington , D.C. Radu Sion , a computer science professor at Stony Brook and director of its National Security Institute , which studies how to secure digital communications , acknowledged that security is far from a priority for most users . “ Ultimately , the average Joe doesn ’ t care , ” he said . “ You [ should ] treat the vast majority of your users as easily hackable. ” Northwell Health , the New Hyde Park-based health care system that is the largest private employer in New York State , is trying to find and get the attention of those inattentive employees . Kathy Hughes , Northwell vice president and chief information security officer , sends out “ phishing simulations ” to the workforce . The emails are designed to mimicAttack.Phishinga real phishing campaignAttack.Phishingthat seeks passwords and personal information . In April , for instance , Northwell sent outAttack.Phishingphishing emails with a tax theme . Hughes collects reports on which employees take the baitAttack.Phishingby user , department and job function . “ We present them with a teachable moment , ” she said . “ We point out things in the email that they should have looked at more carefully. ” The emails are supplemented with newsletters , screen savers and digital signage reminding users that hackers are lurking . Another tool : Non-Northwell emails have an “ external ” notation in the subject line , making it harder for outsiders to pretend to beAttack.Phishinga colleague . “ We let [ the employees ] know that they are part of the security team , ” she said . “ Everybody has a responsibility for security. ” One of the most important constituencies for security is top executives . Drew Walker , a cybersecurity expert at Vector Solutions in Tampa , Florida , said many executives would rather not know about vulnerabilities to their computer systems , because knowledge of a hole makes them legally vulnerable and casts them in a bad light . “ Nine times out of 10 , they don ’ t want to hear it , ” he said . “ It makes them look bad. ” Richard Frankel , a former FBI special agent who is of counsel at Ruskin Moscou , said that company tests of cybersecurity readiness often snare CEOs who weren ’ t paying attention to training . But attorney Della Ragione said high-profile attacks are getting notice from executives . “ Everyone ’ s consciousness is being raised , ” she said . Data leaksAttack.Databreachat Long Island companies have caused executives to heighten security . In 2014 , Farmingdale-based supermarket chain Uncle Giuseppe ’ s Marketplace said that foreign hackers had breachedAttack.Databreachthe credit card database of three stores . Joseph Neglia , director of information technology at Uncle Giuseppe ’ s , said that after the data breachAttack.Databreach, which affected about 100 customers , the company began scheduling “ monthly vulnerability scans ” and upgraded its monitoring and security systems . For businesses , Stony Brook ’ s Sion said , the cybersecurity threat is real and immediate . “ I need one second with your machine to compromise it forever and ever , ” he said . “ It ’ s an uphill battle . ”
Hard Rock Hotels & Casinos alongside Loews Hotels have warned customers that a security failure may have resulted in the theft of their information . Both incidents appear to have been linked to a third-party reservation platform , SynXis , which only begun informing client hotels of the security breach in June , months after the attacks took place . Hard Rock Hotels & Casinos issued a statement informing customers of the data breachAttack.Databreachlast week , which took place due to the Sabre Hospitality Solutions SynXis third-party reservation system . The hotel chain , which operates 176 cafes , 24 hotels and 11 casinos in 75 countries , said SynXis , the backbone infrastructure for reservations made through hotels and travel agencies , provided the avenue for data theftAttack.Databreachand the exposureAttack.Databreachof customer information . `` The unauthorized party first obtained accessAttack.Databreachto payment card and other reservation information on August 10 , 2016 , '' the hotel chain said. `` The last accessAttack.Databreachto payment card information was on March 9 , 2017 . '' Hard Rock Hotel & Casino properties in Biloxi , Cancun , Chicago , Goa , Las Vegas , Palm Springs , Panama Megapolis , Punta Cana , Rivera Maya , San Diego and Vallarta are all affected . According to Sabre , an `` unauthorized party gained accessAttack.Databreachto account credentials that permitted unauthorized accessAttack.Databreachto payment card information , as well as certain reservation information '' for a `` subset '' of reservations . The attacker was able to grabAttack.Databreachunencrypted payment card information for hotel reservations , including cardholder names , card numbers , and expiration dates . In some cases , security codes were also exposedAttack.Databreach, alongside guest names , email addresses , phone numbers , and addresses . In May , Sabre said an investigation into a possible breach was underway . In a quarterly SEC filing , the company said , `` unauthorized access has been shut off , and there is no evidence of continued unauthorized activity at this time . '' While Sabre has not revealed exactly how the system was breached , the company has hired third-party cybersecurity firm Mandiant to investigate . Loews Hotels also appears to be a victim of the same security failure . According to NBC , Sabre was also at fault and cyberattackers were able to slurpAttack.Databreachcredit card , security code , and password information through the booking portal . In some cases , email addresses , phone numbers , and street addresses were also allegedly exposedAttack.Databreach. According to Sabre , its software is used by roughly 36,000 hotel properties . `` Not all reservations that were viewed included the payment card security code , as a large percentage of bookings were made without a security code being provided , '' Sabre said in a statement . `` Others were processed using virtual card numbers in lieu of consumer credit cards . Sabre has notified law enforcement and the credit card brands as part of our investigation . '' If you stayed in one of these properties on the dates mentioned above , you may be at risk of identity theft should the attackers choose to sell their stolen cache of data . Sabre suggests signing up for a free credit report -- available to US consumers once a year for free -- and notify their bank of any stolen activity . However , no compensation has yet been made available . These hotel chains are far from the only ones that have suffered a data breachAttack.Databreachin recent years . Back in April , InterContinental admitted that a data breachAttack.Databreachfirst believed to be isolated to 12 properties actually harmed roughly 1,200 , resulting in the exposureAttack.Databreachof customer credit card data .
Science Inc. , the company behind the popular online poll creation app Wishbone , has suffered a data breachAttack.Databreach. As a consequence , personal and account information of over 2.2 million of the app ’ s users is being circulatedAttack.Databreachon underground forums . The compromised records include names , usernames , email addresses and telephone numbers of the users , but also their gender and birth date ( if they chose to share that info when they set up the account ) . According to Troy Hunt , who received a copy of the compromised MongoDB database , 2,326,452 full names , 2,247,314 unique email addresses , and 287,502 cellphone numbers were included . Most importantly , the great majority of Wishbone users are teenagers and young adults , and predominantly female . “ I ’ d be worried about the potential for kids to abuse the data , ” Hunt told Motherboard . “ There ’ s a lot of young people in there and finding , say , young females and being able to contact them by phone is a worry ” . Not only that , but the data could be used to ferret out additional information about these persons , either via phishingAttack.Phishingor by searching the Internet for unsecured social media accounts that can be tied to them . Armed with all this information , fraudsters could easily perpetrate identity theft schemes . And perhaps the stolen data has already been misused . Hunt say that the data breachAttack.Databreachdates back to August 2016 , but according to the notification letter the Wishbone team sent out , they “ became aware that unknown individuals may have had accessAttack.Databreachto an API without authorization and were able to obtainAttack.Databreachaccount information of its users ” only on March 14 , 2017 . Since then , they “ rectifiedVulnerability-related.PatchVulnerability” the vulnerability that allowed the information to be slurpedAttack.Databreachby the attackers , and are now advising users to consider changing their passwords ( even though they have not been compromisedAttack.Databreachin the incidentAttack.Databreach) .
E-Sports Entertainment Association ( ESEA ) , one of the largest competitive video gaming communities on the planet , was hacked last December . As a result , a database containing 1.5 million player profiles was compromised . On Sunday , ESEA posted a message to Twitter , reminding players of the warning issued on December 30 , 2016 , three days after they were informed of the hack . Sunday ’ s message said the leak of player informationAttack.Databreachwas expected , but they ’ ve not confirmed if the leaked recordsAttack.Databreachcame from their systems . Late Saturday evening , breach notification service LeakedSource announced the addition of 1,503,707 ESEA records to their database . When asked for additional information by Salted Hash , a LeakedSource spokesperson shared the database schema , as well as sample records pulled at random from the database . Learn about top security certifications : Who they 're for , what they cost , and which you need . However , in all , there are more than 90 fields associated with a given player record in the ESEA database . While the passwords are safe , the other data points in the leaked records could be used to construct a number of socially-based attacks , including PhishingAttack.Phishing. Players on Reddit have confirmed their information was discovered in the leaked data . A similar confirmation was made Twitch ’ s Jimmy Whisenhunt on Twitter . The LeakedSource spokesperson said that the ESEA hack was part of a ransom schemeAttack.Ransom, as the hacker responsible demandedAttack.Ransom$ 50,000 in paymentAttack.Ransom. In exchange for meeting their demands , the hacker would keep silent about the ESEA hack and help the organization address the security flaw that made it possible . In their previous notification , ESEA said they learned about the incidentAttack.Databreachon December 27 , but make no mention of any related extortion attemptsAttack.Ransom. The organization reset passwords , multi-factor authentication tokens , and security questions as part of their recovery efforts . We ’ ve reached out to confirm the extortion attemptAttack.Ransomclaims made by the hacker , as well as the total count for players affected by the data breachAttack.Databreach. In an emailed statement , a spokesperson for ESL Gaming ( parent company to Turtle Entertainment ) confirmed that the hacker did in fact attempt to extort moneyAttack.Ransom, but the sum demandedAttack.Ransomwas `` substantially higher '' than the $ 50,000 previously mentioned . The company refused to give into the extortion demandsAttack.Ransom, and went public with details before the hacker could publish anything . The statement also confirms the affected user count of 1.5 million , and stressed the point that ESEA passwords were hashed with bcrypt . When it comes to the profile fields , where more than 90 data points are listed , ESL Gaming says those are optional data points for profile settings . `` We take the security and integrity of customer details very seriously and we are doing everything in our power to investigate this incident , establish precisely what has been taken , and make changes to our systems to mitigate any further breaches . The authorities ( FBI ) were also informed and we will do everything possible to facilitate the investigation of this attack , '' the message from ESL Gaming concluded . `` Based on the proof provided to us by the threat actor of possessionAttack.Databreachof the stolen data , we were able to identify the scope of the data that was accessedAttack.Databreach. While the primary concern and focus was on personal data , some of ESEA ’ s internal infrastructure including configuration settings of game server hardware specifications , as well as game server IPs was also accessibleAttack.Databreach. Due to the ongoing investigation , we prioritized customer user data first , '' the statement explains . In the days that followed that initial contact , ESEA worked to secure their systems , and the hacker kept making demands . On January 7 , ESEA learned the hacker also exfiltratedAttack.Databreachintellectual property from the compromised servers
For those unfamiliar with the tool , Rsync ( remote sync ) is commonly used by hosting providers , ISPs , and IT departments to backup data between servers . The ISP in question , KWIC Internet in Simcoe , Ontario , fixedVulnerability-related.PatchVulnerabilitythe Rsync problems after being notifiedVulnerability-related.DiscoverVulnerabilityby Salted Hash , but it isn ’ t clear how long the company ’ s customers were exposed . Via email , Vickery shared his latest findingsVulnerability-related.DiscoverVulnerabilitywith Salted Hash last week . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . Initially , Vickery discovered databases belonging to Annex Business Media , a publishing firm with offices in Simcoe and Aurora , Ontario . One of the exposed Annex databases stood out to him , as it contained the data from the 2015 Ashley Madison data breachAttack.Databreach. The other databases contained customer information ( names , email addresses , etc . ) Salted Hash reached out to Annex Business Media and asked about the Ashley Madison records , as well as to inform them about the more recent security problems , but the company didn ’ t respond to questions . Additional digging led Vickery to discover that Annex was just one part of a larger data breachAttack.Databreach, one that affected all of KWIC Internet 's customers . “ I quickly realized that this one is going to be a real mess for someone to clean up and quite a headache to determine all the affected parties , ” Vickery told Salted Hash . In all , there were terabytes of KWIC data exposed by the breachAttack.Databreach. The information inside the leaked databases included credit card details , email addresses , passwords , names , home and business addresses , phone numbers , email backups , VPN details and credentials , internal KWIC backups , and more . The KWIC archives also included a common PHP shell named r57 , and a PHP-based DDoS tool , suggesting that the company had been hackedAttack.Databreachat some point prior to leaking their backups to the public . “ There are dozens of SQL database backup files and thousands of email backup directories containing everything from internal KWIC staff login credentials to police warrants for ISP subscriber information , ” Vickery said . Other customers exposed by the KWIC data breachAttack.Databreachinclude at least one law firm , Norfolk County ( norfolkcounty.ca ) , United Way ( unitedwayhn.on.ca ) , and Greenfield Dental Health Group ( greenfielddentistry.ca ) . In March of 2016 , Malwarebytes researcher Jérôme Segura discovered a KWIC customer , Norfolk General Hospital , had a compromised Joomla install that was being used to distribute Ransomware . When Segura reached out to contact the hospital about the incident , they didn ’ t respond right away because the notification was viewed as a sales pitch . KWIC thought a second Malwarebytes notification was a Phishing attackAttack.Phishing. There are a number of unknowns connected to this incident , including the root cause , the number of people and businesses affected , and again - the length of time the data remained exposed to the public . Other questions focus on the PHP shell scripts and DDoS tools , why were they there ? KWIC was contacted immediately after Salted Hash was informed about the data breachAttack.Databreach. It took multiple attempts , as the company does n't have phone support after 8:00 p.m. on weekdays , 3:00 p.m. on Saturdays ( they 're closed Sunday ) , but KWIC eventually responded via email . Twenty-four hours after being notified , the company stated the Rsync issues were fixed , However , they have n't answered any of the other follow-up questions asked by Salted Hash . On Tuesday , via email , the company said an audit was underway and affected customers would be notified once it is complete
News Corp is a network of leading companies in the worlds of diversified media , news , education , and information services . Addresses , names and phone numbers for staff were accessedAttack.Databreachin the data breachAttack.DatabreachSPORTS Direct failed to tell its workers about a major data breachAttack.Databreachthat saw personal information accessedAttack.Databreachby hackers . A cyber attacker gained accessAttack.Databreachto internal systems containing details for phone numbers , names and home and email addresses of the retail giant's 30,000 staff members . But according to The Register , workers still have n't been told about the breachAttack.Databreach, which took place in September . Sports Direct discovered the attackAttack.Databreachthree months later after a phone number was leftAttack.Databreachon the company 's internal site with a message encouraging bosses to make contact . Chiefs filed a report with the Information Commissioner 's office after it became aware that personal information had been compromisedAttack.Databreach. But as there was no evidence the data had been sharedAttack.Databreach, Sports Direct did n't report the breachAttack.Databreachto staff . The blunder is the latest in a string of controversies surrounding the sporting goods retailer . Allegations also surfaced of some workers being promised permanent contracts in exchange for sexual favours . Committee chairman Iain Wright said evidence heard by MPs last year suggested Sports Direct 's working practices `` are closer to that of a Victorian workhouse than that of a modern , reputable High Street retailer '' . In November , six MPs from the Business and Skills Committee said attempts were made to record their private discussions when they visited Sport Direct to investigate working practices . A spokesman for Sports Direct said : `` We can not comment on operational matters in relation to cyber-security for obvious reasons .
A security lapse at content distribution network provider Cloudflare that resulted in customer data being leakedAttack.Databreachpublicly for several months was bad - but had the potential to be much worse . That 's Cloudflare 's initial postmortem conclusion after a twelve-day review of log data related to the breachAttack.Databreach. The review showed no evidence that attackers had exploitedVulnerability-related.DiscoverVulnerabilitythe flaw prior to it being discoveredVulnerability-related.DiscoverVulnerabilityand patchedVulnerability-related.PatchVulnerability, Cloudflare CEO and founder Matthew Prince said in a blog Wednesday . A `` vast majority '' of Cloudflare 's customers also did not appear to have had any of their data leakedAttack.Databreach. Cloudflare ’ s inspection of tens of thousands of pages that were leakedAttack.Databreachfrom its reverse-proxy servers and cached by search engines revealed a `` large number '' of instances of internal Cloudflare cookies and headers . But so far , according to Prince , there ’ s no evidence that passwords , credit card numbers , and other personal data were compromised as was initially feared . The Cloudflare security snafu stemmed from the manner in which a stream parser application that the company uses to modify content passing through its edge servers handled HTTP requests . The bug caused the parser to read memory not only from the HTML page that was being actually parsed , but also from adjacent memory that contained data in response to HTTP requests made by other customers . The flaw was triggered only when pages with certain specific attributes were requested through Cloudflare ’ s CDN . `` If you had accessed one of the pages that triggered the bug you would have seen what likely looked like random text at the end of the page , '' Prince said . A lot of the leaked data ended up getting cached by search engines and Web scrapers . A security researcher from Google ’ s Project Zero threat hunting team alertedVulnerability-related.DiscoverVulnerabilityCloudfare to the bug last month . The company claimed it fixedVulnerability-related.PatchVulnerabilitythe problem in a matter of hours after being notifiedVulnerability-related.DiscoverVulnerabilityof the problem . Some have compared the breach to Heartbleed and have even called it Cloudbleed . In his blog , Prince compared the threat posed by the bug to that posed by a stranger eavesdropping on a random conversation between two employees . Most of the time , the stranger would likely hear nothing of value , but occasionally might pick upAttack.Databreachsomething confidential . The same would have been true for a malicious attacker , who had somehow known aboutVulnerability-related.DiscoverVulnerabilitythe bug and exploitedVulnerability-related.DiscoverVulnerabilityit before Cloudflare ’ s fixVulnerability-related.PatchVulnerability, he said . The customers most at risk of having their data exposedAttack.Databreachwere those that sent the most requests through Cloudflare ’ s CDN . Cloudflare ’ s detailed postmortem and mea culpa evoked a mixed response from security experts . Ilia Kolochenko , CEO of Web security firm High-Tech Bridge praised Prince ’ s effort to be transparent about what went down . `` Even if we can not verify the accuracy of all the numbers inside – for the moment , I don ’ t have a valid reason to question either its content , or conclusion , '' Kolochenko says . In fact , until someone can come up with a credible rebuttal of Cloudflare ’ s internal investigation , it ’ s inappropriate to compare what happened at the company to Heartbleed . `` I ’ d say it ’ s inappropriate even to call this particular incident a 'Cloudbleed , ' '' he says . `` In the Heartbleed case , almost every company in the world , many software vendors including cybersecurity companies , were seriously impacted by the vulnerability . '' Heartbleed also resulted in multiple breachesAttack.Databreachand many organizations continue to be exposedAttack.Databreachto the threat . Neither of those situations applies to the Cloudflare security lapse . `` All avenues of Cloudflare ’ s vulnerability exploitation seems to be mitigatedVulnerability-related.PatchVulnerabilityby now , '' he says . But Kunal Anand , CTO of application security vendor Prevoty , says the details Cloudflare has shared are n't exactly reassuring . If no sensitive information like credit numbers and Social Security Numbers were leakedAttack.Databreachand the leaked dataset itself was relatively small , there is no reason why Cloudflare should n't share it with a third-party for an unbiased review , he says . `` CloudFlare needs to realize that HTTP headers , including cookies , contain sensitive information like session identifiers , authorization tokens and IP addresses , '' Anand says . `` All of these data points should count as private data . '' CloudFlare has been working with various search engines to purge their caches , but in the process , any evidence of the data that was leakedAttack.Databreachis being deleted as well . That makes it hard to quantify the scope of the data breachAttack.Databreachoutside of CloudFlare 's own logs . `` There 's a lot of speculation if nation-state sponsored engines will actually purge the data or copy it for further analysis , '' Anand says .