Today widely-used web content delivery network (CDN) Cloudflare reported a massive leak of cached HTTP server responses containing sensitive data including cookies, passwords, and authentication tokens. This leak has been labelled "Cloudbleed."
BitPay, Cloudflare, and Cloudbleed
BitPay uses Cloudflare for denial of service prevention and caching of web content. We do not and did not use the main Cloudflare feature which had the security flaw, and we believe that no BitPay or BitPay user data was compromised. Cloudflare has no evidence that this bug has been exploited, and they have informed us that no data from any of BitPay's sites were found in any leaked web caches.
The BitPay API's BitAuth-based tokens are secured with client side private keys which are never transmitted to BitPay's servers. If any API requests that were protected by a signature were leaked, sensitive data would still be inaccessible without private key access.
BitPay User Data Unaffected
We believe that it would not be possible for a BitPay user’s password to have been exposed by this bug. In addition to server-side hashing of passwords, BitPay hashes passwords client-side before communicating them to BitPay servers.
While no BitPay users' account passwords were compromised in this Cloudflare leak, we still recommend that you take the time to reset your password. It is theoretically possible that hashed passwords could have been accidentally leaked, making it possible to access the affected account. However, we have no reason to believe that this has in fact occurred.
If you use the third-party integrations in Copay or the BitPay wallet, be aware that both Coinbase and Glidera were potentially-affected sites. We recommend that you also reset your password and review your other authentication methods on these services.
Security Recommendations for BitPay Users
When resetting your password, we strongly recommend creating a unique password. It bears repeating that you expose yourself to much greater security risk if you reuse passwords at all for online accounts. We also recommend implementing a password manager such as 1Password which will allow you to securely manage more complex (and therefore more secure) passwords.
We do not believe that any BitPay account two-factor authentication (2FA) keys were affected by Cloudbleed. However, you can easily remove and reset your BitPay merchant account 2FA and your BitPay Card account 2FA if you wish.
If you do not have two-factor authentication set up for your online accounts, we strongly recommend it. Device-based two-factor authentication (2FA) methods like Google Authenticator provide a second level of security for account access, which can come in handy if your password is ever compromised. Bitcoin exchange Kraken recently released a great blog post detailing the importance of a proper device-based two-factor authentication setup and not relying on the security of mobile phone numbers and SMS two-factor solutions.