A bug was recently discovered with Cloudflare, which DigitalOcean, BitPay, Coinbase/GDAX, Kraken, Poloniex, and other websites use for DoS protection and other services. Due to the nature of the bug, we recommend that you change your security credentials for affected sites:
- Change your account password
- Change your two-factor authentication (remove and re-enable it)
- Any API keys used for these accounts should be removed and regenerated
You may do so here for DigitalOcean:
- Passphrase – https://cloud.digitalocean.com/settings/profile/edit
- 2FA – https://cloud.digitalocean.com/settings/security
We do not believe that DigitalOcean server droplets were made specifically vulnerable as a result, given that the default setup for operators' servers is to use only SSH keys, the private key of which remains on your computer and does not touch their site. BitGo and Bitstamp have confirmed that they were not affected.
You should similarly change your security credentials for other websites that use Cloudflare. See this link for a list of possibly affected sites: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.
The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests.
Here is an article for further reading on the Cloudflare bug: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/
Please let us know any questions on the above.