denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_maintenance2017-02-25 09:42 pm

Two quick things

Cloudflare


We've had people ask us about the Cloudflare leak reported a few days ago. We are Cloudflare customers, and it is possible that login cookies or passwords may have been exposed as part of the incident. We believe the risk to you is relatively low -- it was a small percentage of Cloudflare's requests that were involved over a relatively short period of time, and we haven't found any evidence that anything from us was among them. This is not an absolute guarantee that none of your accounts were affected, but we don't think the likelihood is very high.

Because we believe the risk to be low, we aren't automatically expiring everyone's session cookies and requiring you to log back in and change your password -- whenever we do that, it does lock some people who they can't remember their passwords and no longer have access to their confirmed email addresses out of their accounts, and we believe that will affect more people in this case.

Still, it's always a good idea to change your passwords regularly, and now would be a good time to do it, especially if you want peace of mind. We have a FAQ on how to change your password. If your browser logs you in automatically and you don't remember your password, you can reset it. If you've forgotten your password and no longer have access to your most recent confirmed email address, you can have the password reset email sent to any email address you've confirmed on your account by entering both your username and your old email address at the Lost Info page.

Unfortunately, if you've forgotten your password and no longer have access to any email address you've confirmed on your account, you probably won't be able to reset your password. In some cases, if you've previously paid for your account, we can validate your payment details to confirm your identity and reset your password. If you can't reset your password, but think you may have paid for your account in the past, you can open a support request in the Account Payments category and I'll check into it for you.


LiveJournal imports/crossposts/feeds


LiveJournal has temporarily blocked about 2/3rds of our webservers from contacting their site, presumably because they feel that we're requesting data from them too often. This affects the ability to import your journal, the ability to crosspost entries from your Dreamwidth account to your LiveJournal account, and whether syndicated feeds of accounts on LiveJournal will update on Dreamwidth. Those features will fail when they're unable to contact LJ because of the block.

It isn't every one of our webservers, so things will work intermittently -- if you crosspost two entries one right after the other, one might succeed while the other fails. Unfortunately, there isn't much we can do to resolve this other than contacting them and asking them to unblock us (which I'll be doing right after I hit 'post' on this entry).

EDIT 2249 EST 25 Feb: We appear to be down to zero unblocked webservers, so imports, crossposts, and feeds will all fail until LJ unblocks us.

EDIT 26 Feb noon EST: LJ unblocked and whitelisted us this morning, so all is working again!
my_tucker: (Default)

[personal profile] my_tucker 2017-02-27 09:27 am (UTC)(link)
Thanks for your transparency about being a potentially affected site with this Cloudbleed thing. I hadn't heard about it. It's good to know that you consider the risk to your users is very low. I've changed the passwords on my accounts just in case. Re expiring session cookies - is that something we can do ourselves via the manage login sessions part of our account settings?

Also, the article you've linked to said most of the cloudbleed activity happened between 13th -18th Feb. Within that period I bought a paid account and a large number of icon slots (on another DW account) - would my credit card details, address or anything like that potentially have been exposed IF by some small chance this issue affected my Dreamwidth session? Or journal entries? Or would it just be passwords and or/login cookies. I do realise you think it very unlikely Dreamwidth was affected - I'm just curious about what might have been exposed if you were.

And excelllent news that LJ has whitelisted DW again. :) DW is my journalling home now, but I do still x-post to LJ.
Edited 2017-02-27 09:27 (UTC)
my_tucker: (Default)

[personal profile] my_tucker 2017-02-27 08:31 pm (UTC)(link)
Thanks. I thought that was the case re login cookies but just wanted to check (at the risk of it being a dumb question)!
OK, re CC. I won't lose sleep but I will keep an eye on that account. It looks as it should atm.