[4][11] Tavis Ormandy, first to discover the vulnerability, immediately drew a comparison to Heartbleed, saying "it took every ounce of strength not to call this issue 'cloudbleed'" in his report.
[1] On Thursday, February 23, 2017, Cloudflare wrote a post noting that:[12] The bug was serious because the leaked memory could contain private information and because it had been cached by search engines.
[7] Tavis Ormandy initially stated that he was "really impressed with Cloudflare's quick response, and how dedicated they are to cleaning up from this unfortunate issue.
[16] In a blog post, Jeffery Goldberg stated that no data from 1Password would be at risk due to Cloudbleed, citing the service's use of Secure Remote Password protocol (SRP), in which the client and server prove their identity without sharing any secrets over the network.
1Password data is additionally encrypted using keys derived from the user's master password and a secret account code, which Goldberg claims would protect the credentials even if 1Password's own servers were breached.
[17] Many major news outlets advised users of sites hosted by Cloudflare to change their passwords, as even accounts protected by multi-factor authentication could be at risk.
[22] Researchers at Arbor Networks, in an alert, suggested that "For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day...Pretty much all of them.
"[23] Inc. Magazine cybersecurity columnist, Joseph Steinberg, however, advised people not to change their passwords, stating that "the current risk is much smaller than the price to be paid in increased 'cybersecurity fatigue' leading to much bigger problems in the future.