Please Change Your Passwords

In category: General

In response to news of an information leak at CloudFlare, we are requesting that our users take the time to change their passwords on potentially affected websites, including e621. Here at e621 we use CloudFlare to help protect against distributed denial of service attacks that would be disruptive to usage of the site, and it is an important part of our architecture. CloudFlare recently announced that an extremely small percentage of requests could result in leaked information from previous requests being included by mistake. CloudFlare has since resolved the issue that was leaking information.

While we have found no evidence that this leak has personally affected e621, we cannot be sure of the scope of the leaked information. As a result, we are requesting that you change your password as a precaution.

The official announcement from CloudFlare can be found here.

Because this has the potential to have impacted a very large number of sites, you should review your passwords sharing habits and consider using a password manager and a unique password per website.

A list of potentially impacted sites can be found here.

Stay safe out there.
~e621 Staff

Clarification edit:
This does not represent a compromise of the e621 website or services. The website was not hacked or compromised as a result of this event. This is a precautionary advisory only.


KiraNoot said:
--snip--

oh no cloudflare spilled the beans


Fer goodness sake its 2017 and buffer overruns keep getting by programmers. This is why we can't have nice things.

The details...

It's insanely unlikely anything will come of this.


I've been inconvenienced for a few seconds.

Curses.


rysyN said:
Fer goodness sake its 2017 and buffer overruns keep getting by programmers. This is why we can't have nice things.

The details...

It's insanely unlikely anything will come of this.

I also consider it unlikely that anything will come of this. It was well handled, and the search engine teams were on board clearing out indexed information before it was announced.

I still consider it good practice to let users know if their information was potentially compromised, no matter how small the chance, and how they can respond to it. I would much rather have a user know and be able to respond, than be unaware and be unable to react if that chance is not in their favor.


I question how a memory leak from here would benefit those who don't browse e621.


Unless it's something official like a bank account, I use a bullshit password for random online services. I hope to God no one uses my e621 password to also access two expired porn subscriptions and an empty discord


Neferpitou said:
I wonder how a memory leak from here would benefit those who don't browse e621.

Thinking this through only two options that pop into my head at the moment are:
a) A group of people having a furry witch hunt.
b) pepper can use the accounts as members of his 'army'.


FustratedFeathers said:
I've been inconvenienced for a few seconds.

Curses.

I know, right? Updating my passwords is such a chore. :P

Shouldn't be a big deal, but better safe than paranoid I always say. Which is really small condolences when you actually have clinical paranoia....


OrangeLightning said:
Thinking this through only two options that pop into my head at the moment are:
a) A group of people having a furry witch hunt.
b) pepper can use the accounts as members of his 'army'.

Who's pepper?


Neferpitou said:
Who's pepper?

Nobody worth remembering.


404_ArtNotFound said:
Nobody worth remembering.

Not for me, that is. I feed on drama-whores' tears but I try keeping the enjoyment all to myself.

Genjar
Contributor
28 days ago
2011 annoyed antennae arthropod biped black_markings blue_eyes clear_membrane clothed clothing crossed_arms cute duo feral front_view green_body human insect insect_wings lifting lol_comments male mammal markings moth nisimawari pellucid_hawk_moth portrait quadruped shirt shorts simple_background solo_focus spread_wings standing three-quarter_portrait three-quarter_view traditional_media_(artwork) watercolor_(artwork) white_background wings

Rating: Safe
Score: 224
User: Genjar
Date: May 29, 2013

Neferpitou said:
Who's pepper?

Just a troll who feeds on attention.


Genjar said:
Just a troll who feeds on attention.

This guy?

Genjar
Contributor
28 days ago
2011 annoyed antennae arthropod biped black_markings blue_eyes clear_membrane clothed clothing crossed_arms cute duo feral front_view green_body human insect insect_wings lifting lol_comments male mammal markings moth nisimawari pellucid_hawk_moth portrait quadruped shirt shorts simple_background solo_focus spread_wings standing three-quarter_portrait three-quarter_view traditional_media_(artwork) watercolor_(artwork) white_background wings

Rating: Safe
Score: 224
User: Genjar
Date: May 29, 2013

Neferpitou said:
This guy?

Like I said, not worth talking about. He hasn't been active after his troll-group (and main gaming account) got banned on Steam, anyway.

v He's a troll. Admin of a trolling-group on Steam, and all that.


Neferpitou said:
This guy?

Just looked at his comments... This guy is nuts. I can't tell if he's delusional or just trolling.


Wait, would our password be sent in requests if we've been logged in the entire time, or only if we had to re-enter it?


Furrin_Gok said:
Wait, would our password be sent in requests if we've been logged in the entire time, or only if we had to re-enter it?

Only if you had to re-enter it. It would still be wise to change it as a precaution, even if you did not log in during that period, but the choice is yours.


Done, just in case


somehow, i don't feel much of a need to do this. the oldest account i even remember using my current password for is my account on kongregate and that one is 9 years old as of november 28 this year. not only that but the closest i ever come using any personal info for anything would be my PSN account (which i only use on the console) and signing my name on a check each month. unless i'm forgetting a, likely dead or inactive, account somewhere that asked for such info.

no, wait, i think i have a different username & password for the PSN account. plus, whenever a site asks for my birth date i always enter it with at least one number off (month, day, or year). so that's useless info.

even i don't know how far my trail of dead and/or inactive accounts goes. it goes at least as far as whenever the lich king expansion for WoW was released. i remember that much.

so yeah, it's far more likely that anyone with my password will hit 1 of a VERY few active accounts of little to no value or countless dead and forgotten accounts. i know better than to leave personal info lying around. :P

HypnoBitch said:
Just looked at his comments... This guy is nuts. I can't tell if he's delusional or just trolling.

welcome to the club. here's some snacks. lol


Thanks for the warning


According to this one, there could be over 4 million sites effected, which includes some mobile apps.
https://github.com/pirate/sites-using-cloudflare

Also remember this does effect other furry related sites using cloudflare services, including furaffinity, weasyl and patreon, not just e6.

It does already help if you are doing your basic account security correctly, meaning 2fa on at least most important services, differend password on every single service, passwords that are hard to use brute force, changing password periodically on services you use commonly especially if they do not allow 2fa, etc. This way even if single login has bled from this mess, it means attacker can only access that one account of yours, if even that.

Good password managers (not the one build in browser) can also help to avoid falling into pitfalls like easy/same passwords and avoid keyloggers getting information, but in cases like this they bleed exactly the same as other passwords.

parasprite
Contributor
27 days ago
blue_eyes cutie_mark digital_media_(artwork) duo ear_tuft english_text equine eshredder feathered_wings feathers female feral fluttershy_(mlp) friendship_is_magic fur hair inner_ear_fluff long_hair looking_at_viewer mammal my_little_pony parasprite_(mlp) pegasus pink_hair simple_background smile solo_focus text tongue tongue_out tuft wings yellow_feathers yellow_fur

Rating: Safe
Score: 33
User: Fluttershy
Date: April 15, 2013

treos said:
i know better than to leave personal info lying around. :P=

> leaves a bunch of personal info lying around


my RPs as a sea anemone might be compromised


Well that sucks


Change your password

What?! No! NO! NO!

I have finally managed to consolidate all of my online accounts under a master password that nobody is likely to ever guess! I am NOT changing my f**king password again! I don't have to worry about any sensitive personal or financial information on the web being stolen, because I don't have any sensitive personal or financial information on the web TO steal! I don't care if CloudFlare had a leak--I cannot deal with this crap again! >:C


remember your NUCs (never use Cloudflare).

@above poster, having a single hard-to-guess password is many orders of magnitude unsafer than having multiple easy-to-guess passwords. best thing is to have many hard-to-guess passwords, which is why you use a password manager like Master Password (the app).


fewrahuxo said:
remember your NUCs (never use Cloudflare).

@above poster, having a single hard-to-guess password is many orders of magnitude unsafer than having multiple easy-to-guess passwords. best thing is to have many hard-to-guess passwords, which is why you use a password manager like Master Password (the app).

I believe that they are joking.


The_Masked_Newfag said:
What?! No! NO! NO!

I have finally managed to consolidate all of my online accounts under a master password that nobody is likely to ever guess! I am NOT changing my f**king password again! I don't have to worry about any sensitive personal or financial information on the web being stolen, because I don't have any sensitive personal or financial information on the web TO steal! I don't care if CloudFlare had a leak--I cannot deal with this crap again! >:C

Calm down. Literally something as easy as "synonym for theme or name of site" followed by "something I really enjoy" (Especially if it can relate to the site as well) and finally just a number you like is better than a master password. Like, "Big_Salted_Boobs_11", where e621 is another term for salt, and your favorites include large boobs, with your joindate being 2011.
...Though I'd definitely recommend a tad more personalization than two things directly visible from your profile, of course. Another way to look at the theme of e621 is porn of whatever sort, blue/yellow, hexagons, or any of the mascots. You can even go a bit indirect: The San Diego Chargers use both blue and yellow in their team colors, which would make Chargers or Charging a viable word for use, if your mind can process mnemonics that way.


Thanks better safe than sorry


Already affected me, wads of money started disappearing out of my bank account. I managed to put a stop to it, but it's still gonna take a few weeks to get the money back. I've already gone and changed my password on ALL of the MILLION BILLION sites I use.