1
[ my public key: https://keybase.io/friss; my proof: https://keybase.io/friss/sigs/dBuj776dO2eZQU-qzpc1BRDzvoxMHSjnXJS15voCzEc ]
Shopify, the company whose software runs the Fangamer store (and more than a million others online), has informed us that an internal security event it has been investigating since late last year included Fangamer customer data. Information regarding customer financial accounts and payment cards was not affected, but we are writing to make you aware of the situation.
According to Shopify, certain members of its support team used their Shopify credentials to obtain archived customer data from several hundred stores without authorization. The team members accessed data associated with order fulfillment — names, addresses, email addresses, cart contents, and phone numbers — but did not access or acquire any financial-account or payment-card information.
We are extremely frustrated and sorry to be sending you this email; Fangamer's internal development team takes data security extremely seriously. Data not in Fangamer's Shopify store — including Kickstarter backer information, account information and passwords, and email addresses used to sign up for our newsletter — was not accessed, and the store continues to operate as normal. Fangamer Japan, which operates as a separate store, was also not affected.
Shopify has terminated the employees who did this and eliminated the vulnerabilities that made it possible. Shopify has also reported that it will be providing any other relevant information to us as its investigation continues, and we'll pass along any new material details. If you have any questions, though, please contact us at orders@fangamer.com.
Thank you, Fangamer
Dear Cloudflare Customer,
We're reaching out to make you aware of a Workers KV vulnerability, and the details you'd need to determine if you were impacted. We do not have reason to believe any Workers KV customers were impacted by the vulnerability, but we wanted to disclose information in an abundance of caution. This only affected users of Workers KV (about 0.034% of Cloudflare customers) and not other Cloudflare products or customers. You are completely unaffected if you never made your Namespace’s ID public or available to a third party.
Summary: If you made public (for example in source code), or gave a third-party access to, a Workers KV Namespace’s ID (which is an unguessable, random 122 bit value, a UUID4), the third-party could have used it to read or modify content in that Namespace.
Remediation: We have fixed this vulnerability. After receiving a report from a security researcher, we were able to confirm the existence of the vulnerability on October 14, 2019 at 12:53:21 -0500 and we prepared and released a patch which was completed that day at 16:45:38 -0500.
Impact: We have reviewed logs going back at least 30 days for API access and one year for direct access and there was no abuse during those time periods. While we believe any earlier unauthorized access is extremely unlikely, we are erring on the side of caution and sharing this information with you.
If you made your Namespace’s ID public, you may wish to review the information stored in your Workers KV Namespace and take action to secure any sensitive information. For example, if you were using Workers KV to store access tokens, you may want to expire and rotate them.
Cloudflare works closely with security researchers through HackerOne. We are grateful to the researcher who found and reported this vulnerability, and we have paid a bug bounty. We care deeply about security, and we regret any inconvenience this may cause.